From: Michael Schroeder <mls@suse.de>
Date: Wed, 1 Feb 2017 10:23:02 +0000 (+0100)
Subject: Reject solv files with bad directories
X-Git-Tag: 0.6.25~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64ea54c31ec396531faac2a86b5c0c1c056b59b2;p=thirdparty%2Flibsolv.git

Reject solv files with bad directories

Bad meaning that there is a block with does not have a single
component. Such a block will trip directory traversion leading
to nasty things.
---

diff --git a/src/dirpool.c b/src/dirpool.c
index fc57cc5c..afb26ea5 100644
--- a/src/dirpool.c
+++ b/src/dirpool.c
@@ -101,8 +101,6 @@ dirpool_add_dir(Dirpool *dp, Id parent, Id comp, int create)
 {
   Id did, d, ds;
 
-  if (comp <= 0)
-    return 0;
   if (!dp->ndirs)
     {
       if (!create)
@@ -112,6 +110,8 @@ dirpool_add_dir(Dirpool *dp, Id parent, Id comp, int create)
       dp->dirs[0] = 0;
       dp->dirs[1] = 1;	/* "" */
     }
+  if (comp <= 0)
+    return 0;
   if (parent == 0 && comp == 1)
     return 1;
   if (!dp->dirtraverse)
diff --git a/src/repo_solv.c b/src/repo_solv.c
index 86c851cc..2460e30a 100644
--- a/src/repo_solv.c
+++ b/src/repo_solv.c
@@ -873,11 +873,20 @@ repo_add_solv(Repo *repo, FILE *fp, int flags)
 	{
 	  id = read_id(&data, i + numid);
 	  if (id >= numid)
-	    data.dirpool.dirs[i] = -(id - numid);
-	  else if (idmap)
-	    data.dirpool.dirs[i] = idmap[id];
-	  else
-	    data.dirpool.dirs[i] = id;
+	    {
+	      data.dirpool.dirs[i++] = -(id - numid);
+	      if (i >= numdir)
+		{
+		  data.error = pool_error(pool, SOLV_ERROR_CORRUPT, "last dir entry is not a component");
+		  break;
+		}
+	      id = read_id(&data, numid);
+	    }
+	  if (idmap)
+	    id = idmap[id];
+	  data.dirpool.dirs[i] = id;
+	  if (id <= 0)
+            data.error = pool_error(pool, SOLV_ERROR_CORRUPT, "bad dir component");
 	}
     }