rpmdb/header.c

Go to the documentation of this file.

/* RPM - Copyright (C) 1995-2002 Red Hat Software */

/* Data written to file descriptors is in network byte order.    */
/* Data read from file descriptors is expected to be in          */
/* network byte order and is converted on the fly to host order. */

#include "system.h"

#define __HEADER_PROTOTYPES__

#include <rpmio_internal.h>     /* XXX for fdGetOPath() */
#include <header_internal.h>

#include "debug.h"

/*@unchecked@*/
int _hdr_debug = 0;

/*@access entryInfo @*/
/*@access indexEntry @*/

/*@access rpmec @*/
/*@access sprintfTag @*/
/*@access sprintfToken @*/
/*@access HV_t @*/

#define PARSER_BEGIN    0
#define PARSER_IN_ARRAY 1
#define PARSER_IN_EXPR  2

/*@observer@*/ /*@unchecked@*/
static unsigned char header_magic[8] = {
        0x8e, 0xad, 0xe8, 0x01, 0x00, 0x00, 0x00, 0x00
};

/*@observer@*/ /*@unchecked@*/
static int typeAlign[16] =  {
    1,  
    1,  
    1,  
    2,  
    4,  
    8,  
    1,  
    1,  
    1,  
    1,  
    1,  
    1,  
    0,
    0,
    0,
    0
};

/*@observer@*/ /*@unchecked@*/
static int typeSizes[16] =  { 
    0,  
    1,  
    1,  
    2,  
    4,  
    8,  
    -1, 
    1,  
    -1, 
    -1, 
    1,  
    1,  
    0,
    0,
    0,
    0
};

/*@unchecked@*/
static size_t headerMaxbytes = (32*1024*1024);

#define hdrchkTags(_ntags)      ((_ntags) & 0xffff0000)

#define hdrchkType(_type) ((_type) < RPM_MIN_TYPE || (_type) > RPM_MAX_TYPE)

#define hdrchkData(_nbytes)     ((_nbytes) & 0xff000000)

#define hdrchkAlign(_type, _off)        ((_off) & (typeAlign[_type]-1))

#define hdrchkRange(_dl, _off)          ((_off) < 0 || (_off) > (_dl))

/*@observer@*/ /*@unchecked@*/
HV_t hdrVec;    /* forward reference */

/*@unused@*/ static inline /*@null@*/ void *
_free(/*@only@*/ /*@null@*/ /*@out@*/ const void * p) /*@modifies *p @*/
{
    if (p != NULL)      free((void *)p);
    return NULL;
}

static
Header headerLink(Header h)
        /*@modifies h @*/
{
/*@-nullret@*/
    if (h == NULL) return NULL;
/*@=nullret@*/

    h->nrefs++;
/*@-modfilesys@*/
if (_hdr_debug)
fprintf(stderr, "--> h  %p ++ %d at %s:%u\n", h, h->nrefs, __FILE__, __LINE__);
/*@=modfilesys@*/

    /*@-refcounttrans @*/
    return h;
    /*@=refcounttrans @*/
}

static /*@null@*/
Header headerUnlink(/*@killref@*/ /*@null@*/ Header h)
        /*@modifies h @*/
{
    if (h == NULL) return NULL;
/*@-modfilesys@*/
if (_hdr_debug)
fprintf(stderr, "--> h  %p -- %d at %s:%u\n", h, h->nrefs, __FILE__, __LINE__);
/*@=modfilesys@*/
    h->nrefs--;
    return NULL;
}

static /*@null@*/
Header headerFree(/*@killref@*/ /*@null@*/ Header h)
        /*@modifies h @*/
{
    (void) headerUnlink(h);

    /*@-usereleased@*/
    if (h == NULL || h->nrefs > 0)
        return NULL;    /* XXX return previous header? */

    if (h->index) {
        indexEntry entry = h->index;
        int i;
        for (i = 0; i < h->indexUsed; i++, entry++) {
            if ((h->flags & HEADERFLAG_ALLOCATED) && ENTRY_IS_REGION(entry)) {
                if (entry->length > 0) {
                    int_32 * ei = entry->data;
                    if ((ei - 2) == h->blob) h->blob = _free(h->blob);
                    entry->data = NULL;
                }
            } else if (!ENTRY_IN_REGION(entry)) {
                entry->data = _free(entry->data);
            }
            entry->data = NULL;
        }
        h->index = _free(h->index);
    }
    h->origin = _free(h->origin);

    /*@-refcounttrans@*/ h = _free(h); /*@=refcounttrans@*/
    return h;
    /*@=usereleased@*/
}

static
Header headerNew(void)
        /*@*/
{
    Header h = xcalloc(1, sizeof(*h));

/*@-boundsread@*/
    /*@-assignexpose@*/
    h->hv = *hdrVec;            /* structure assignment */
    /*@=assignexpose@*/
/*@=boundsread@*/
    h->blob = NULL;
    h->origin = NULL;
    h->instance = 0;
    h->indexAlloced = INDEX_MALLOC_SIZE;
    h->indexUsed = 0;
    h->flags |= HEADERFLAG_SORTED;

    h->index = (h->indexAlloced
        ? xcalloc(h->indexAlloced, sizeof(*h->index))
        : NULL);

    h->nrefs = 0;
    /*@-globstate -observertrans @*/
    return headerLink(h);
    /*@=globstate =observertrans @*/
}

static int indexCmp(const void * avp, const void * bvp)
        /*@*/
{
    /*@-castexpose@*/
    indexEntry ap = (indexEntry) avp, bp = (indexEntry) bvp;
    /*@=castexpose@*/
    return (ap->info.tag - bp->info.tag);
}

static
void headerSort(Header h)
        /*@modifies h @*/
{
    if (!(h->flags & HEADERFLAG_SORTED)) {
/*@-boundsread@*/
        qsort(h->index, h->indexUsed, sizeof(*h->index), indexCmp);
/*@=boundsread@*/
        h->flags |= HEADERFLAG_SORTED;
    }
}

static int offsetCmp(const void * avp, const void * bvp) /*@*/
{
    /*@-castexpose@*/
    indexEntry ap = (indexEntry) avp, bp = (indexEntry) bvp;
    /*@=castexpose@*/
    int rc = (ap->info.offset - bp->info.offset);

    if (rc == 0) {
        /* Within a region, entries sort by address. Added drips sort by tag. */
        if (ap->info.offset < 0)
            rc = (((char *)ap->data) - ((char *)bp->data));
        else
            rc = (ap->info.tag - bp->info.tag);
    }
    return rc;
}

static
void headerUnsort(Header h)
        /*@modifies h @*/
{
/*@-boundsread@*/
    qsort(h->index, h->indexUsed, sizeof(*h->index), offsetCmp);
/*@=boundsread@*/
}

static
unsigned int headerSizeof(/*@null@*/ Header h, enum hMagic magicp)
        /*@modifies h @*/
{
    indexEntry entry;
    unsigned int size = 0;
    unsigned int pad = 0;
    int i;

    if (h == NULL)
        return size;

    headerSort(h);

    switch (magicp) {
    case HEADER_MAGIC_YES:
        size += sizeof(header_magic);
        break;
    case HEADER_MAGIC_NO:
        break;
    }

    /*@-sizeoftype@*/
    size += 2 * sizeof(int_32); /* count of index entries */
    /*@=sizeoftype@*/

    for (i = 0, entry = h->index; i < h->indexUsed; i++, entry++) {
        unsigned diff;
        int_32 type;

        /* Regions go in as is ... */
        if (ENTRY_IS_REGION(entry)) {
            size += entry->length;
            /* XXX Legacy regions do not include the region tag and data. */
            /*@-sizeoftype@*/
            if (i == 0 && (h->flags & HEADERFLAG_LEGACY))
                size += sizeof(struct entryInfo_s) + entry->info.count;
            /*@=sizeoftype@*/
            continue;
        }

        /* ... and region elements are skipped. */
        if (entry->info.offset < 0)
            continue;

        /* Alignment */
        type = entry->info.type;
/*@-boundsread@*/
        if (typeSizes[type] > 1) {
            diff = typeSizes[type] - (size % typeSizes[type]);
            if (diff != typeSizes[type]) {
                size += diff;
                pad += diff;
            }
        }
/*@=boundsread@*/

        /*@-sizeoftype@*/
        size += sizeof(struct entryInfo_s) + entry->length;
        /*@=sizeoftype@*/
    }

    return size;
}

static int dataLength(int_32 type, hPTR_t p, int_32 count, int onDisk,
                /*@null@*/ hPTR_t pend)
        /*@*/
{
    const unsigned char * s = p;
    const unsigned char * se = pend;
    int length = 0;

    switch (type) {
    case RPM_STRING_TYPE:
        if (count != 1)
            return -1;
/*@-boundsread@*/
        while (*s++) {
            if (se && s > se)
                return -1;
            length++;
        }
/*@=boundsread@*/
        length++;       /* count nul terminator too. */
        break;

    case RPM_STRING_ARRAY_TYPE:
    case RPM_I18NSTRING_TYPE:
        /* These are like RPM_STRING_TYPE, except they're *always* an array */
        /* Compute sum of length of all strings, including nul terminators */

        if (onDisk) {
            while (count--) {
                length++;       /* count nul terminator too */
/*@-boundsread@*/
               while (*s++) {
                    if (se && s > se)
                        return -1;
                    length++;
                }
/*@=boundsread@*/
            }
        } else {
            const char ** av = (const char **)p;
/*@-boundsread@*/
            while (count--) {
                /* add one for null termination */
                length += strlen(*av++) + 1;
            }
/*@=boundsread@*/
        }
        break;

    default:
/*@-boundsread@*/
        if (typeSizes[type] == -1)
            return -1;
        length = typeSizes[(type & 0xf)] * count;
/*@=boundsread@*/
        if (length < 0 || (se && (s + length) > se))
            return -1;
        break;
    }

    return length;
}

static int regionSwab(/*@null@*/ indexEntry entry, int il, int dl,
                entryInfo pe,
                unsigned char * dataStart,
                /*@null@*/ const unsigned char * dataEnd,
                int regionid)
        /*@modifies *entry, *dataStart @*/
{
    unsigned char * tprev = NULL;
    unsigned char * t = NULL;
    int tdel = 0;
    int tl = dl;
    struct indexEntry_s ieprev;

/*@-boundswrite@*/
    memset(&ieprev, 0, sizeof(ieprev));
/*@=boundswrite@*/
    for (; il > 0; il--, pe++) {
        struct indexEntry_s ie;
        int_32 type;

        ie.info.tag = ntohl(pe->tag);
        ie.info.type = ntohl(pe->type);
        ie.info.count = ntohl(pe->count);
        ie.info.offset = ntohl(pe->offset);

        if (hdrchkType(ie.info.type))
            return -1;
        if (hdrchkData(ie.info.count))
            return -1;
        if (hdrchkData(ie.info.offset))
            return -1;
/*@-boundsread@*/
        if (hdrchkAlign(ie.info.type, ie.info.offset))
            return -1;
/*@=boundsread@*/

        ie.data = t = dataStart + ie.info.offset;
        if (dataEnd && t >= dataEnd)
            return -1;

        ie.length = dataLength(ie.info.type, ie.data, ie.info.count, 1, dataEnd);
        if (ie.length < 0 || hdrchkData(ie.length))
            return -1;

        ie.rdlen = 0;

        if (entry) {
            ie.info.offset = regionid;
/*@-boundswrite@*/
            *entry = ie;        /* structure assignment */
/*@=boundswrite@*/
            entry++;
        }

        /* Alignment */
        type = ie.info.type;
/*@-boundsread@*/
        if (typeSizes[type] > 1) {
            unsigned diff;
            diff = typeSizes[type] - (dl % typeSizes[type]);
            if (diff != typeSizes[type]) {
                dl += diff;
                if (ieprev.info.type == RPM_I18NSTRING_TYPE)
                    ieprev.length += diff;
            }
        }
/*@=boundsread@*/
        tdel = (tprev ? (t - tprev) : 0);
        if (ieprev.info.type == RPM_I18NSTRING_TYPE)
            tdel = ieprev.length;

        if (ie.info.tag >= HEADER_I18NTABLE) {
            tprev = t;
        } else {
            tprev = dataStart;
            /* XXX HEADER_IMAGE tags don't include region sub-tag. */
            /*@-sizeoftype@*/
            if (ie.info.tag == HEADER_IMAGE)
                tprev -= REGION_TAG_COUNT;
            /*@=sizeoftype@*/
        }

        /* Perform endian conversions */
        switch (ntohl(pe->type)) {
/*@-bounds@*/
        case RPM_INT64_TYPE:
        {   int_64 * it = (int_64 *)t;
            int_32 b[2];
            for (; ie.info.count > 0; ie.info.count--, it += 1) {
                if (dataEnd && ((unsigned char *)it) >= dataEnd)
                    return -1;
                b[1] = htonl(((int_32 *)it)[0]);
                b[0] = htonl(((int_32 *)it)[1]);
                if (b[1] != ((int_32 *)it)[0])
                    memcpy(it, b, sizeof(b));
            }
            t = (char *) it;
        }   /*@switchbreak@*/ break;
        case RPM_INT32_TYPE:
        {   int_32 * it = (int_32 *)t;
            for (; ie.info.count > 0; ie.info.count--, it += 1) {
                if (dataEnd && ((unsigned char *)it) >= dataEnd)
                    return -1;
                *it = htonl(*it);
            }
            t = (char *) it;
        }   /*@switchbreak@*/ break;
        case RPM_INT16_TYPE:
        {   int_16 * it = (int_16 *) t;
            for (; ie.info.count > 0; ie.info.count--, it += 1) {
                if (dataEnd && ((unsigned char *)it) >= dataEnd)
                    return -1;
                *it = htons(*it);
            }
            t = (char *) it;
        }   /*@switchbreak@*/ break;
/*@=bounds@*/
        default:
            t += ie.length;
            /*@switchbreak@*/ break;
        }

        dl += ie.length;
        if (dataEnd && dataStart + dl > dataEnd) return -1;
        tl += tdel;
        ieprev = ie;    /* structure assignment */

    }
    tdel = (tprev ? (t - tprev) : 0);
    tl += tdel;

    /* XXX
     * There are two hacks here:
     *  1) tl is 16b (i.e. REGION_TAG_COUNT) short while doing headerReload().
     *  2) the 8/98 rpm bug with inserting i18n tags needs to use tl, not dl.
     */
    /*@-sizeoftype@*/
    if (tl+REGION_TAG_COUNT == dl)
        tl += REGION_TAG_COUNT;
    /*@=sizeoftype@*/

    return dl;
}

static /*@only@*/ /*@null@*/ void * doHeaderUnload(Header h,
                /*@out@*/ int * lengthPtr)
        /*@modifies h, *lengthPtr @*/
        /*@requires maxSet(lengthPtr) >= 0 @*/
        /*@ensures maxRead(result) == (*lengthPtr) @*/
{
    int_32 * ei = NULL;
    entryInfo pe;
    char * dataStart;
    char * te;
    unsigned pad;
    unsigned len;
    int_32 il = 0;
    int_32 dl = 0;
    indexEntry entry; 
    int_32 type;
    int i;
    int drlen, ndribbles;
    int driplen, ndrips;
    int legacy = 0;

    /* Sort entries by (offset,tag). */
    headerUnsort(h);

    /* Compute (il,dl) for all tags, including those deleted in region. */
    pad = 0;
    drlen = ndribbles = driplen = ndrips = 0;
    for (i = 0, entry = h->index; i < h->indexUsed; i++, entry++) {
        if (ENTRY_IS_REGION(entry)) {
            int_32 rdl = -entry->info.offset;   /* negative offset */
            int_32 ril = rdl/sizeof(*pe);
            int rid = entry->info.offset;

            il += ril;
            dl += entry->rdlen + entry->info.count;
            /* XXX Legacy regions do not include the region tag and data. */
            if (i == 0 && (h->flags & HEADERFLAG_LEGACY))
                il += 1;

            /* Skip rest of entries in region, but account for dribbles. */
            for (; i < h->indexUsed && entry->info.offset <= rid+1; i++, entry++) {
                if (entry->info.offset <= rid)
                    /*@innercontinue@*/ continue;

                /* Alignment */
                type = entry->info.type;
                if (typeSizes[type] > 1) {
                    unsigned diff;
                    diff = typeSizes[type] - (dl % typeSizes[type]);
                    if (diff != typeSizes[type]) {
                        drlen += diff;
                        pad += diff;
                        dl += diff;
                    }
                }

                ndribbles++;
                il++;
                drlen += entry->length;
                dl += entry->length;
            }
            i--;
            entry--;
            continue;
        }

        /* Ignore deleted drips. */
        if (entry->data == NULL || entry->length <= 0)
            continue;

        /* Alignment */
        type = entry->info.type;
        if (typeSizes[type] > 1) {
            unsigned diff;
            diff = typeSizes[type] - (dl % typeSizes[type]);
            if (diff != typeSizes[type]) {
                driplen += diff;
                pad += diff;
                dl += diff;
            } else
                diff = 0;
        }

        ndrips++;
        il++;
        driplen += entry->length;
        dl += entry->length;
    }

    /* Sanity checks on header intro. */
    if (hdrchkTags(il) || hdrchkData(dl))
        goto errxit;

    len = sizeof(il) + sizeof(dl) + (il * sizeof(*pe)) + dl;

/*@-boundswrite@*/
    ei = xmalloc(len);
    ei[0] = htonl(il);
    ei[1] = htonl(dl);
/*@=boundswrite@*/

    pe = (entryInfo) &ei[2];
    dataStart = te = (char *) (pe + il);

    pad = 0;
    for (i = 0, entry = h->index; i < h->indexUsed; i++, entry++) {
        const char * src;
char *t;
        int count;
        int rdlen;

        if (entry->data == NULL || entry->length <= 0)
            continue;

t = te;
        pe->tag = htonl(entry->info.tag);
        pe->type = htonl(entry->info.type);
        pe->count = htonl(entry->info.count);

        if (ENTRY_IS_REGION(entry)) {
            int_32 rdl = -entry->info.offset;   /* negative offset */
            int_32 ril = rdl/sizeof(*pe) + ndribbles;
            int rid = entry->info.offset;

            src = (char *)entry->data;
            rdlen = entry->rdlen;

            /* XXX Legacy regions do not include the region tag and data. */
            if (i == 0 && (h->flags & HEADERFLAG_LEGACY)) {
                int_32 stei[4];

                legacy = 1;
/*@-boundswrite@*/
                memcpy(pe+1, src, rdl);
                memcpy(te, src + rdl, rdlen);
/*@=boundswrite@*/
                te += rdlen;

                pe->offset = htonl(te - dataStart);
                stei[0] = pe->tag;
                stei[1] = pe->type;
                stei[2] = htonl(-rdl-entry->info.count);
                stei[3] = pe->count;
/*@-boundswrite@*/
                memcpy(te, stei, entry->info.count);
/*@=boundswrite@*/
                te += entry->info.count;
                ril++;
                rdlen += entry->info.count;

                count = regionSwab(NULL, ril, 0, pe, t, NULL, 0);
                if (count != rdlen)
                    goto errxit;

            } else {

/*@-boundswrite@*/
                memcpy(pe+1, src + sizeof(*pe), ((ril-1) * sizeof(*pe)));
                memcpy(te, src + (ril * sizeof(*pe)), rdlen+entry->info.count+drlen);
/*@=boundswrite@*/
                te += rdlen;
                {   /*@-castexpose@*/
                    entryInfo se = (entryInfo)src;
                    /*@=castexpose@*/
                    int off = ntohl(se->offset);
                    pe->offset = (off) ? htonl(te - dataStart) : htonl(off);
                }
                te += entry->info.count + drlen;

                count = regionSwab(NULL, ril, 0, pe, t, NULL, 0);
                if (count != (rdlen + entry->info.count + drlen))
                    goto errxit;
            }

            /* Skip rest of entries in region. */
            while (i < h->indexUsed && entry->info.offset <= rid+1) {
                i++;
                entry++;
            }
            i--;
            entry--;
            pe += ril;
            continue;
        }

        /* Ignore deleted drips. */
        if (entry->data == NULL || entry->length <= 0)
            continue;

        /* Alignment */
        type = entry->info.type;
        if (typeSizes[type] > 1) {
            unsigned diff;
            diff = typeSizes[type] - ((te - dataStart) % typeSizes[type]);
            if (diff != typeSizes[type]) {
/*@-boundswrite@*/
                memset(te, 0, diff);
/*@=boundswrite@*/
                te += diff;
                pad += diff;
            }
        }

        pe->offset = htonl(te - dataStart);

        /* copy data w/ endian conversions */
/*@-boundswrite@*/
        switch (entry->info.type) {
        case RPM_INT64_TYPE:
        {   int_32 b[2];
            count = entry->info.count;
            src = entry->data;
            while (count--) {
                b[1] = htonl(((int_32 *)src)[0]);
                b[0] = htonl(((int_32 *)src)[1]);
                if (b[1] == ((int_32 *)src)[0])
                    memcpy(te, src, sizeof(b));
                else
                    memcpy(te, b, sizeof(b));
                te += sizeof(b);
                src += sizeof(b);
            }
        }   /*@switchbreak@*/ break;

        case RPM_INT32_TYPE:
            count = entry->info.count;
            src = entry->data;
            while (count--) {
                *((int_32 *)te) = htonl(*((int_32 *)src));
                /*@-sizeoftype@*/
                te += sizeof(int_32);
                src += sizeof(int_32);
                /*@=sizeoftype@*/
            }
            /*@switchbreak@*/ break;

        case RPM_INT16_TYPE:
            count = entry->info.count;
            src = entry->data;
            while (count--) {
                *((int_16 *)te) = htons(*((int_16 *)src));
                /*@-sizeoftype@*/
                te += sizeof(int_16);
                src += sizeof(int_16);
                /*@=sizeoftype@*/
            }
            /*@switchbreak@*/ break;

        default:
            memcpy(te, entry->data, entry->length);
            te += entry->length;
            /*@switchbreak@*/ break;
        }
/*@=boundswrite@*/
        pe++;
    }
   
    /* Insure that there are no memcpy underruns/overruns. */
    if (((char *)pe) != dataStart)
        goto errxit;
    if ((((char *)ei)+len) != te)
        goto errxit;

    if (lengthPtr)
        *lengthPtr = len;

    h->flags &= ~HEADERFLAG_SORTED;
    headerSort(h);

    return (void *) ei;

errxit:
    /*@-usereleased@*/
    ei = _free(ei);
    /*@=usereleased@*/
    return (void *) ei;
}

static /*@only@*/ /*@null@*/
void * headerUnload(Header h)
        /*@modifies h @*/
{
    int length;
/*@-boundswrite@*/
    void * uh = doHeaderUnload(h, &length);
/*@=boundswrite@*/
    return uh;
}

static /*@null@*/
indexEntry findEntry(/*@null@*/ Header h, int_32 tag, int_32 type)
        /*@modifies h @*/
{
    indexEntry entry, entry2, last;
    struct indexEntry_s key;

    if (h == NULL) return NULL;
    if (!(h->flags & HEADERFLAG_SORTED)) headerSort(h);

    key.info.tag = tag;

/*@-boundswrite@*/
    entry2 = entry = 
        bsearch(&key, h->index, h->indexUsed, sizeof(*h->index), indexCmp);
/*@=boundswrite@*/
    if (entry == NULL)
        return NULL;

    if (type == RPM_NULL_TYPE)
        return entry;

    /* look backwards */
    while (entry->info.tag == tag && entry->info.type != type &&
           entry > h->index) entry--;

    if (entry->info.tag == tag && entry->info.type == type)
        return entry;

    last = h->index + h->indexUsed;
    /*@-usereleased@*/ /* FIX: entry2 = entry. Code looks bogus as well. */
    while (entry2->info.tag == tag && entry2->info.type != type &&
           entry2 < last) entry2++;
    /*@=usereleased@*/

    if (entry->info.tag == tag && entry->info.type == type)
        return entry;

    return NULL;
}

static
int headerRemoveEntry(Header h, int_32 tag)
        /*@modifies h @*/
{
    indexEntry last = h->index + h->indexUsed;
    indexEntry entry, first;
    int ne;

    entry = findEntry(h, tag, RPM_NULL_TYPE);
    if (!entry) return 1;

    /* Make sure entry points to the first occurence of this tag. */
    while (entry > h->index && (entry - 1)->info.tag == tag)  
        entry--;

    /* Free data for tags being removed. */
    for (first = entry; first < last; first++) {
        void * data;
        if (first->info.tag != tag)
            break;
        data = first->data;
        first->data = NULL;
        first->length = 0;
        if (ENTRY_IN_REGION(first))
            continue;
        data = _free(data);
    }

    ne = (first - entry);
    if (ne > 0) {
        h->indexUsed -= ne;
        ne = last - first;
/*@-boundswrite@*/
        if (ne > 0)
            memmove(entry, first, (ne * sizeof(*entry)));
/*@=boundswrite@*/
    }

    return 0;
}

static /*@null@*/
Header headerLoad(/*@kept@*/ void * uh)
        /*@modifies uh @*/
{
    int_32 * ei = (int_32 *) uh;
    int_32 il = ntohl(ei[0]);           /* index length */
    int_32 dl = ntohl(ei[1]);           /* data length */
    /*@-sizeoftype@*/
    size_t pvlen = sizeof(il) + sizeof(dl) +
               (il * sizeof(struct entryInfo_s)) + dl;
    /*@=sizeoftype@*/
    void * pv = uh;
    Header h = NULL;
    entryInfo pe;
    unsigned char * dataStart;
    unsigned char * dataEnd;
    indexEntry entry; 
    int rdlen;
    int i;

    /* Sanity checks on header intro. */
    if (hdrchkTags(il) || hdrchkData(dl))
        goto errxit;

    ei = (int_32 *) pv;
    /*@-castexpose@*/
    pe = (entryInfo) &ei[2];
    /*@=castexpose@*/
    dataStart = (unsigned char *) (pe + il);
    dataEnd = dataStart + dl;

    h = xcalloc(1, sizeof(*h));
    /*@-assignexpose@*/
    h->hv = *hdrVec;            /* structure assignment */
    /*@=assignexpose@*/
    /*@-assignexpose -kepttrans@*/
    h->blob = uh;
    /*@=assignexpose =kepttrans@*/
    h->indexAlloced = il + 1;
    h->indexUsed = il;
    h->index = xcalloc(h->indexAlloced, sizeof(*h->index));
    h->flags |= HEADERFLAG_SORTED;
    h->nrefs = 0;
    h = headerLink(h);

    /*
     * XXX XFree86-libs, ash, and pdksh from Red Hat 5.2 have bogus
     * %verifyscript tag that needs to be diddled.
     */
    if (ntohl(pe->tag) == 15 &&
        ntohl(pe->type) == RPM_STRING_TYPE &&
        ntohl(pe->count) == 1)
    {
        pe->tag = htonl(1079);
    }

    entry = h->index;
    i = 0;
    if (!(htonl(pe->tag) < HEADER_I18NTABLE)) {
        h->flags |= HEADERFLAG_LEGACY;
        entry->info.type = REGION_TAG_TYPE;
        entry->info.tag = HEADER_IMAGE;
        /*@-sizeoftype@*/
        entry->info.count = REGION_TAG_COUNT;
        /*@=sizeoftype@*/
        entry->info.offset = ((unsigned char *)pe - dataStart); /* negative offset */

        /*@-assignexpose@*/
        entry->data = pe;
        /*@=assignexpose@*/
        entry->length = pvlen - sizeof(il) - sizeof(dl);
        rdlen = regionSwab(entry+1, il, 0, pe, dataStart, dataEnd, entry->info.offset);
#if 0   /* XXX don't check, the 8/98 i18n bug fails here. */
        if (rdlen != dl)
            goto errxit;
#endif
        entry->rdlen = rdlen;
        entry++;
        h->indexUsed++;
    } else {
        int_32 rdl;
        int_32 ril;

        h->flags &= ~HEADERFLAG_LEGACY;

        entry->info.type = htonl(pe->type);
        entry->info.count = htonl(pe->count);

        if (hdrchkType(entry->info.type))
            goto errxit;
        if (hdrchkTags(entry->info.count))
            goto errxit;

        {   int off = ntohl(pe->offset);

            if (hdrchkData(off))
                goto errxit;
            if (off) {
/*@-sizeoftype@*/
                size_t nb = REGION_TAG_COUNT;
/*@=sizeoftype@*/
                int_32 * stei = memcpy(alloca(nb), dataStart + off, nb);
                rdl = -ntohl(stei[2]);  /* negative offset */
                ril = rdl/sizeof(*pe);
                if (hdrchkTags(ril) || hdrchkData(rdl))
                    goto errxit;
                entry->info.tag = htonl(pe->tag);
            } else {
                ril = il;
                /*@-sizeoftype@*/
                rdl = (ril * sizeof(struct entryInfo_s));
                /*@=sizeoftype@*/
                entry->info.tag = HEADER_IMAGE;
            }
        }
        entry->info.offset = -rdl;      /* negative offset */

        /*@-assignexpose@*/
        entry->data = pe;
        /*@=assignexpose@*/
        entry->length = pvlen - sizeof(il) - sizeof(dl);
        rdlen = regionSwab(entry+1, ril-1, 0, pe+1, dataStart, dataEnd, entry->info.offset);
        if (rdlen < 0)
            goto errxit;
        entry->rdlen = rdlen;

        if (ril < h->indexUsed) {
            indexEntry newEntry = entry + ril;
            int ne = (h->indexUsed - ril);
            int rid = entry->info.offset+1;
            int rc;

            /* Load dribble entries from region. */
            rc = regionSwab(newEntry, ne, 0, pe+ril, dataStart, dataEnd, rid);
            if (rc < 0)
                goto errxit;
            rdlen += rc;

          { indexEntry firstEntry = newEntry;
            int save = h->indexUsed;
            int j;

            /* Dribble entries replace duplicate region entries. */
            h->indexUsed -= ne;
            for (j = 0; j < ne; j++, newEntry++) {
                (void) headerRemoveEntry(h, newEntry->info.tag);
                if (newEntry->info.tag == HEADER_BASENAMES)
                    (void) headerRemoveEntry(h, HEADER_OLDFILENAMES);
            }

            /* If any duplicate entries were replaced, move new entries down. */
/*@-boundswrite@*/
            if (h->indexUsed < (save - ne)) {
                memmove(h->index + h->indexUsed, firstEntry,
                        (ne * sizeof(*entry)));
            }
/*@=boundswrite@*/
            h->indexUsed += ne;
          }
        }
    }

    h->flags &= ~HEADERFLAG_SORTED;
    headerSort(h);

    /*@-globstate -observertrans @*/
    return h;
    /*@=globstate =observertrans @*/

errxit:
    /*@-usereleased@*/
    if (h) {
        h->index = _free(h->index);
        /*@-refcounttrans@*/
        h = _free(h);
        /*@=refcounttrans@*/
    }
    /*@=usereleased@*/
    /*@-refcounttrans -globstate@*/
    return h;
    /*@=refcounttrans =globstate@*/
}

static /*@observer@*/ /*@null@*/
const char * headerGetOrigin(/*@null@*/ Header h)
        /*@*/
{
    return (h != NULL ? h->origin : NULL);
}

static
int headerSetOrigin(/*@null@*/ Header h, const char * origin)
        /*@modifies h @*/
{
    if (h != NULL) {
        h->origin = _free(h->origin);
        h->origin = xstrdup(origin);
    }
    return 0;
}

static
int headerGetInstance(/*@null@*/ Header h)
        /*@*/
{
    return (h != NULL ? h->instance : 0);
}

static
int headerSetInstance(/*@null@*/ Header h, int instance)
        /*@modifies h @*/
{
    if (h != NULL)
        h->