repo_deb: fix bugs in gzip header skipping

author Michael Schroeder <mls@suse.de>

Fri, 20 Oct 2017 13:28:40 +0000 (15:28 +0200)

committer Michael Schroeder <mls@suse.de>

Fri, 20 Oct 2017 13:28:57 +0000 (15:28 +0200)
author Michael Schroeder <mls@suse.de>
Fri, 20 Oct 2017 13:28:40 +0000 (15:28 +0200)
committer Michael Schroeder <mls@suse.de>
Fri, 20 Oct 2017 13:28:57 +0000 (15:28 +0200)
diff --git a/ext/repo_deb.c b/ext/repo_deb.c

index 8952e3087ab4435cf0ab71f5b89ac714818de6dc..6b17cf76a9510d2eda912801f79e2b626d957eba 100644 (file)
--- a/ext/repo_deb.c
+++ b/ext/repo_deb.c
@@ -595,7 +595,7 @@ repo_add_deb(Repo *repo, const char *deb, int flags)
    ctar = 0;
    if (control_comp == CONTROL_COMP_GZIP)
      {
-      if (ctgz[0] != 0x1f || ctgz[1] != 0x8b)
+      if (clen <= 10 || ctgz[0] != 0x1f || ctgz[1] != 0x8b)
         {
           pool_error(pool, -1, "%s: control.tar.gz is not gzipped", deb);
           solv_free(ctgz);
@@ -612,21 +612,15 @@ repo_add_deb(Repo *repo, const char *deb, int flags)
        if (ctgz[3] & 0x04)
         {
           /* skip extra field */
-         l = bp[0] | bp[1] << 8;
+         l = bp + 2 >= ctgz + clen ? 0 : (bp[0] | bp[1] << 8);
           bp += l + 2;
-         if (bp >= ctgz + clen)
-           {
-             pool_error(pool, -1, "%s: control.tar.gz is corrupt", deb);
-             solv_free(ctgz);
-             return 0;
-           }
         }
        if (ctgz[3] & 0x08)      /* orig filename */
-       while (*bp)
-         bp++;
+       while (bp < ctgz + clen && *bp++)
+         ;
        if (ctgz[3] & 0x10)      /* file comment */
-       while (*bp)
-         bp++;
+       while (bp < ctgz + clen && *bp++)
+         ;
        if (ctgz[3] & 0x02)      /* header crc */
         bp += 2;
        if (bp >= ctgz + clen)
author	Michael Schroeder <mls@suse.de>
	Fri, 20 Oct 2017 13:28:40 +0000 (15:28 +0200)
committer	Michael Schroeder <mls@suse.de>
	Fri, 20 Oct 2017 13:28:57 +0000 (15:28 +0200)