Check all header strings to resize buffer CVE-2006-5466 (#212833).

Patch backported from rpm5.org / JBJ.
2007-06-18 08:50:52 +03:00 · 2007-06-18 08:50:52 +03:00 · 6f69c70e76
parent 900de8606f
commit 6f69c70e76
1 changed files with 18 additions and 6 deletions
--- a/lib/query.c
+++ b/lib/query.c
@ -150,12 +150,14 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 {
    int scareMem = 0;
    rpmfi fi = NULL;
+    size_t tb = 2 * BUFSIZ;
+    size_t sb;
    char * t, * te;
    char * prefix = NULL;
    int rc = 0;		/* XXX FIXME: need real return code */
    int i;

-    te = t = xmalloc(BUFSIZ);
+    te = t = xmalloc(tb);
 /*@-boundswrite@*/
    *te = '\0';
 /*@=boundswrite@*/
@ -164,12 +166,13 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 	const char * str = queryHeader(h, qva->qva_queryFormat);
 	/*@-branchstate@*/
 	if (str) {
-	    size_t tb = (te - t);
-	    size_t sb = strlen(str);
+	    size_t tx = (te - t);

-	    if (sb >= (BUFSIZ - tb)) {
-		t = xrealloc(t, BUFSIZ+sb);
-		te = t + tb;
+	    sb = strlen(str);
+	    if (sb) {
+		tb += sb;
+		t = xrealloc(t, tb);
+		te = t + tx;
 	    }
 /*@-boundswrite@*/
 	    /*@-usereleased@*/
@ -246,6 +249,15 @@ int showQueryPackage(QVA_t qva, rpmts ts, Header h)
 	if ((qva->qva_fflags & RPMFILE_GHOST) && (fflags & RPMFILE_GHOST))
 	    continue;

+	/* Insure space for header derived data */
+	sb = strlen(fn) + strlen(fmd5) + strlen(fuser) + strlen(fgroup) + strlen(flink);
+	if ((sb + BUFSIZ) > tb) {
+	    size_t tx = (te - t);
+	    tb += sb + BUFSIZ;
+	    t = xrealloc(t, tb);
+	    te = t + tx;
+	}
+
 /*@-boundswrite@*/
 	if (!rpmIsVerbose() && prefix)
 	    te = stpcpy(te, prefix);