From f5452710217c714bdbea7b49b83c069c0ba476d7 Mon Sep 17 00:00:00 2001
From: Lubos Kardos <lkardos@redhat.com>
Date: Fri, 6 Nov 2015 16:24:27 +0100
Subject: [PATCH] - Fix crash when parsing corrupted RPM file - Resolves:
 #1273360

---
 rpm-4.13.0-fix-crash-on-corrupted.patch | 59 +++++++++++++++++++++++++
 rpm.spec                                |  6 ++-
 2 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 rpm-4.13.0-fix-crash-on-corrupted.patch

diff --git a/rpm-4.13.0-fix-crash-on-corrupted.patch b/rpm-4.13.0-fix-crash-on-corrupted.patch
new file mode 100644
index 0000000..fd93a54
--- /dev/null
+++ b/rpm-4.13.0-fix-crash-on-corrupted.patch
@@ -0,0 +1,59 @@
+From 9c36ca411332d2718eca339e867561c39abc256b Mon Sep 17 00:00:00 2001
+From: Lubos Kardos <lkardos@redhat.com>
+Date: Fri, 6 Nov 2015 14:49:59 +0100
+Subject: [PATCH] Fix crash when parsing corrupted RPM file (rhbz:1273360)
+
+---
+ lib/legacy.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/lib/legacy.c b/lib/legacy.c
+index 422c2b0..8ba7bbd 100644
+--- a/lib/legacy.c
++++ b/lib/legacy.c
+@@ -25,7 +25,7 @@ static void compressFilelist(Header h)
+     char ** dirNames;
+     const char ** baseNames;
+     uint32_t * dirIndexes;
+-    rpm_count_t count;
++    rpm_count_t count, realCount = 0;
+     int i;
+     int dirIndex = -1;
+ 
+@@ -58,6 +58,7 @@ static void compressFilelist(Header h)
+ 	    while ((i = rpmtdNext(&fileNames)) >= 0) {
+ 		dirIndexes[i] = dirIndex;
+ 		baseNames[i] = rpmtdGetString(&fileNames);
++		realCount++;
+ 	    }
+ 	    goto exit;
+ 	}
+@@ -87,19 +88,20 @@ static void compressFilelist(Header h)
+ 	    (needle = bsearch(&filename, dirNames, dirIndex + 1, sizeof(dirNames[0]), dncmp)) == NULL) {
+ 	    char *s = xmalloc(len + 1);
+ 	    rstrlcpy(s, filename, len + 1);
+-	    dirIndexes[i] = ++dirIndex;
++	    dirIndexes[realCount] = ++dirIndex;
+ 	    dirNames[dirIndex] = s;
+ 	} else
+-	    dirIndexes[i] = needle - dirNames;
++	    dirIndexes[realCount] = needle - dirNames;
+ 
+ 	*baseName = savechar;
+-	baseNames[i] = baseName;
++	baseNames[realCount] = baseName;
++	realCount++;
+     }
+ 
+ exit:
+     if (count > 0) {
+-	headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, count);
+-	headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, count);
++	headerPutUint32(h, RPMTAG_DIRINDEXES, dirIndexes, realCount);
++	headerPutStringArray(h, RPMTAG_BASENAMES, baseNames, realCount);
+ 	headerPutStringArray(h, RPMTAG_DIRNAMES, 
+ 			     (const char **) dirNames, dirIndex + 1);
+     }
+-- 
+1.9.3
+
diff --git a/rpm.spec b/rpm.spec
index 4cd97b0..5d57aa6 100644
--- a/rpm.spec
+++ b/rpm.spec
@@ -29,7 +29,7 @@
 Summary: The RPM package management system
 Name: rpm
 Version: %{rpmver}
-Release: %{?snapver:0.%{snapver}.}10%{?dist}
+Release: %{?snapver:0.%{snapver}.}11%{?dist}
 Group: System Environment/Base
 Url: http://www.rpm.org/
 Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2
@@ -61,6 +61,7 @@ Patch105: rpm-4.13.0-rpmdeps-weakdep-support.patch
 Patch106: rpm-4.13.0-autopatch-fix.patch
 Patch107: rpm-4.13.0-ignore-sigpipe.patch
 Patch108: rpm-4.13.0-unsupported-keys.patch
+Patch109: rpm-4.13.0-fix-crash-on-corrupted.patch
 
 # These are not yet upstream
 Patch302: rpm-4.7.1-geode-i686.patch
@@ -565,6 +566,9 @@ exit 0
 %doc doc/librpm/html/*
 
 %changelog
+* Fri Nov 06 2015 Lubos Kardos <lkardos@rpm.org> - 4.13.0-0.rc1.11
+- Fix crash when parsing corrupted RPM file (#1273360)
+
 * Fri Nov 06 2015 Lubos Kardos <lkardos@rpm.org> - 4.13.0-0.rc1.10
 - Fix SIGSEGV in case of old unsupported gpg keys (#1277464)