From 9c36ca411332d2718eca339e867561c39abc256b Mon Sep 17 00:00:00 2001 From: Lubos Kardos Date: Fri, 6 Nov 2015 14:49:59 +0100 Subject: [PATCH] Fix crash when parsing corrupted RPM file (rhbz:1273360) --- lib/legacy.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/legacy.c b/lib/legacy.c index 422c2b0..8ba7bbd 100644 --- a/lib/legacy.c +++ b/lib/legacy.c @@ -25,7 +25,7 @@ static void compressFilelist(Header h) char ** dirNames; const char ** baseNames; uint32_t * dirIndexes; - rpm_count_t count; + rpm_count_t count, realCount = 0; int i; int dirIndex = -1; @@ -58,6 +58,7 @@ static void compressFilelist(Header h) while ((i = rpmtdNext(&fileNames)) >= 0) { dirIndexes[i] = dirIndex; baseNames[i] = rpmtdGetString(&fileNames); + realCount++; } goto exit; } @@ -87,19 +88,20 @@ static void compressFilelist(Header h) (needle = bsearch(&filename, dirNames, dirIndex + 1, sizeof(dirNames[0]), dncmp)) == NULL) { char *s = xmalloc(len + 1); rstrlcpy(s, filename, len + 1); - dirIndexes[i] = ++dirIndex; + dirIndexes[realCount] = ++dirIndex; dirNames[dirIndex] = s; } else - dirIndexes[i] = needle - dirNames; + dirIndexes[realCount] = needle - dirNames; *baseName = savechar; - baseNames[i] = baseName; + baseNames[realCount] = baseName; + realCount++; } exit: if (count > 0) { - headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, count); - headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, count); + headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, realCount); + headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, realCount); headerPutStringArray(h, RPMTAG_DIRNAMES, (const char **) dirNames, dirIndex + 1); } -- 1.9.3