From: Zhipeng Xie <xiezhipeng1@huawei.com>
Date: Tue, 6 Aug 2019 01:50:57 +0000 (+0800)
Subject: repodata_schema2id: fix heap-buffer-overflow in memcmp
X-Git-Tag: 0.7.6~1^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdb9c9c03508990e4583046b590c30d958f272da;p=thirdparty%2Flibsolv.git

repodata_schema2id: fix heap-buffer-overflow in memcmp

When the length of last schema in data->schemadata is
less than length of input schema, we got a read overflow
in asan test.

Signed-off-by: Zhipeng Xie <xiezhipeng1@huawei.com>
---

diff --git a/src/repodata.c b/src/repodata.c
index 0c7a51f1..3cae0fe4 100644
--- a/src/repodata.c
+++ b/src/repodata.c
@@ -211,11 +211,13 @@ repodata_schema2id(Repodata *data, Id *schema, int create)
   cid = schematahash[h];
   if (cid)
     {
-      if (!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
+      if ((data->schemata[cid] + len <= data->schemadatalen) &&
+			  !memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
         return cid;
       /* cache conflict, do a slow search */
       for (cid = 1; cid < data->nschemata; cid++)
-        if (!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
+        if ((data->schemata[cid] + len <= data->schemadatalen) &&
+				!memcmp(data->schemadata + data->schemata[cid], schema, len * sizeof(Id)))
           return cid;
     }
   /* a new one */