[Rpm-maint] [rpm-software-management/rpm] Fix IMA signature lengths assumed constant (#1833, RhBug:2018937) (PR #1844)

Demi Marie Obenour notifications at github.com
Mon Dec 6 13:48:11 UTC 2021


@DemiMarie commented on this pull request.

There are a few areas where I would like to see a proof of no integer overflow.

>  	const char *s;
 
+	/* Figure string sizes + max length for allocation purposes */
+	if (lengths) {
+	    int maxl = 0;
+	    int *lens = xmalloc(num * sizeof(*lens));

```suggestion
	    int *lens = xcalloc(num, sizeof(*lens));
```

This is safer in the event of an overflow.

>  	const char *s;
 
+	/* Figure string sizes + max length for allocation purposes */
+	if (lengths) {
+	    int maxl = 0;
+	    int *lens = xmalloc(num * sizeof(*lens));
+	    int i = 0;
+
+	    while ((s = rpmtdNextString(&td))) {
+		lens[i] = strlen(s) / 2;

What if `strlen(s)` is odd?  That should be an error.

> @@ -579,9 +580,9 @@ const unsigned char * rpmfilesFSignature(rpmfiles fi, int ix, size_t *len)
 
     if (fi != NULL && ix >= 0 && ix < rpmfilesFC(fi)) {
 	if (fi->signatures != NULL)
-	    signature = fi->signatures + (fi->signaturelength * ix);
+	    signature = fi->signatures + (fi->signaturemaxlen * ix);

Is there a proof that this cannot overflow?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1844#pullrequestreview-823965693
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20211206/d3823792/attachment.html>


More information about the Rpm-maint mailing list