Add a check to ensure that indexes into DirNames are in range. (#51)

The check above ensures that the lengths of these arrays are constrained, but does not ensure that the indexes themselves are within bounds. This leads to a panic when consuming malformed data. A similar check can be found at: https://github.com/rpm-software-management/rpm/blob/master/lib/tagexts.c#L99.
knqyf263 · Dec 6, 2023 · a8af76a · a8af76a
1 parent 4c52bf7
commit a8af76a
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/pkg/package.go b/pkg/package.go
@@ -400,7 +400,11 @@ func (p *PackageInfo) InstalledFileNames() ([]string, error) {
 
 	var filePaths []string
 	for i, baseName := range p.BaseNames {
-		dir := p.DirNames[p.DirIndexes[i]]
+		idx := p.DirIndexes[i]
+		if len(p.DirNames) <= int(idx) {
+			return nil, xerrors.Errorf("invalid rpm %s", p.Name)
+		}
+		dir := p.DirNames[idx]
 		filePaths = append(filePaths, path.Join(dir, baseName)) // should be slash-separated
 	}
 	return filePaths, nil

diff --git a/pkg/rpmdb_test.go b/pkg/rpmdb_test.go
@@ -1,6 +1,7 @@
 package rpmdb
 
 import (
+	"os"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -813,3 +814,13 @@ func TestRpmDB_Package(t *testing.T) {
 		})
 	}
 }
+
+func TestNevra(t *testing.T) {
+	blob, err := os.ReadFile("testdata/blob.bin")
+	indexEntries, err := headerImport(blob)
+	require.NoError(t, err)
+	pkg, err := getNEVRA(indexEntries)
+	require.NoError(t, err)
+	_, err = pkg.InstalledFiles()
+	require.Error(t, err)
+}
diff --git a/pkg/testdata/blob.bin b/pkg/testdata/blob.bin