From eb6254269508b37bab88e3ee7deebaf44afca82a Mon Sep 17 00:00:00 2001
From: Panu Matilainen <pmatilai@redhat.com>
Date: Wed, 11 Jun 2014 15:28:36 +0300
Subject: [PATCH] Fix ancient buffer overflow on unterminated macro options

- Test for terminating ')' existence before copying, otherwise we'll
  end up walking over the edge of the world.
- Return address from doDefine() on error will likely differ after
  this, whether that actually affects anything remains to be seen...
---
 rpmio/macro.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/rpmio/macro.c b/rpmio/macro.c
index d5659ceb0..12a65a446 100644
--- a/rpmio/macro.c
+++ b/rpmio/macro.c
@@ -485,9 +485,15 @@ doDefine(MacroBuf mb, const char * se, size_t slen, int level, int expandbody)
     oe = ne + 1;
     if (*s == '(') {
 	s++;	/* skip ( */
-	o = oe;
-	COPYOPTS(oe, s, oc);
-	s++;	/* skip ) */
+	/* Options must be terminated with ')' */
+	if (strchr(s, ')')) {
+	    o = oe;
+	    COPYOPTS(oe, s, oc);
+	    s++;	/* skip ) */
+	} else {
+	    rpmlog(RPMLOG_ERR, _("Macro %%%s has unterminated opts\n"), n);
+	    goto exit;
+	}
     }
 
     /* Copy body, skipping over escaped newlines */
@@ -558,12 +564,6 @@ doDefine(MacroBuf mb, const char * se, size_t slen, int level, int expandbody)
 	goto exit;
     }
 
-    /* Options must be terminated with ')' */
-    if (o && oc != ')') {
-	rpmlog(RPMLOG_ERR, _("Macro %%%s has unterminated opts\n"), n);
-	goto exit;
-    }
-
     if ((be - b) < 1) {
 	rpmlog(RPMLOG_ERR, _("Macro %%%s has empty body\n"), n);
 	goto exit;