Reject solv files with bad directories

Bad meaning that there is a block with does not have a single
component. Such a block will trip directory traversion leading
to nasty things.

diff --git a/src/dirpool.c b/src/dirpool.c
index fc57cc5ced08d4fd7aeaf3468967d2d1763a617a..afb26ea5aa068a4967e43b0ab4dcc55bc96fdd10 100644 (file)
--- a/src/dirpool.c
+++ b/src/dirpool.c
@@ -101,8 +101,6 @@ dirpool_add_dir(Dirpool *dp, Id parent, Id comp, int create)
 {
   Id did, d, ds;
 
-  if (comp <= 0)
-    return 0;
   if (!dp->ndirs)
     {
       if (!create)
@@ -112,6 +110,8 @@ dirpool_add_dir(Dirpool *dp, Id parent, Id comp, int create)
       dp->dirs[0] = 0;
       dp->dirs[1] = 1; /* "" */
     }
+  if (comp <= 0)
+    return 0;
   if (parent == 0 && comp == 1)
     return 1;
   if (!dp->dirtraverse)

diff --git a/src/repo_solv.c b/src/repo_solv.c
index 86c851ccf5f2864df014fd02fe604afa62321020..2460e30a8576c43b2eae7d471315cdebe44ac1dd 100644 (file)
--- a/src/repo_solv.c
+++ b/src/repo_solv.c
@@ -873,11 +873,20 @@ repo_add_solv(Repo *repo, FILE *fp, int flags)
        {
          id = read_id(&data, i + numid);
          if (id >= numid)
-           data.dirpool.dirs[i] = -(id - numid);
-         else if (idmap)
-           data.dirpool.dirs[i] = idmap[id];
-         else
-           data.dirpool.dirs[i] = id;
+           {
+             data.dirpool.dirs[i++] = -(id - numid);
+             if (i >= numdir)
+               {
+                 data.error = pool_error(pool, SOLV_ERROR_CORRUPT, "last dir entry is not a component");
+                 break;
+               }
+             id = read_id(&data, numid);
+           }
+         if (idmap)
+           id = idmap[id];
+         data.dirpool.dirs[i] = id;
+         if (id <= 0)
+            data.error = pool_error(pool, SOLV_ERROR_CORRUPT, "bad dir component");
        }
     }