From 5e40166380a450a36b302914be60fd004624f724 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 13 Jan 2021 15:54:17 -0500
Subject: [PATCH] Tag data must have count greater than zero

Zero counts are invalid, and they cause problems elsewhere.  For
instance, strtaglen() will suffer an integer underflow.
---
 lib/header.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/header.c b/lib/header.c
index fc52c3178..41c2da94f 100644
--- a/lib/header.c
+++ b/lib/header.c
@@ -128,6 +128,13 @@ static const size_t headerMaxbytes = (256*1024*1024);
  **/
 #define hdrchkTag(_tag) ((_tag) < HEADER_I18NTABLE)
 
+/**
+ * Reasonableness check on count values.
+ * Catches nasty stuff like negative or zero counts, which would cause
+ * integer underflows in strtaglen().
+ */
+#define hdrchkCount(_count) ((_count) == 0)
+
 /**
  * Sanity check on type values.
  */
@@ -279,6 +286,8 @@ static rpmRC hdrblobVerifyInfo(hdrblob blob, char **emsg)
 	    goto err;
 	if (hdrchkType(info.type))
 	    goto err;
+	if (hdrchkCount(info.count))
+	    goto err;
 	if (hdrchkAlign(info.type, info.offset))
 	    goto err;
 	if (hdrchkRange(blob->dl, info.offset))