Silence tainted scalar on rdlen

2042        ttl = isc_buffer_getuint32(&j->it.source);
    	    13. tainted_data_transitive: Call to function isc_buffer_getuint16 with tainted argument *j->it.source.base returns tainted data. [show details]
    	    14. var_assign: Assigning: rdlen = isc_buffer_getuint16(&j->it.source), which taints rdlen.
    2043        rdlen = isc_buffer_getuint16(&j->it.source);
    2044
    2045        /*
    2046         * Parse the rdata.
    2047         */
    	    15. Condition j->it.source.used - j->it.source.current != rdlen, taking false branch.
    2048        if (isc_buffer_remaininglength(&j->it.source) != rdlen) {
    2049                FAIL(DNS_R_FORMERR);
    2050        }
    	    16. var_assign_var: Assigning: j->it.source.active = j->it.source.current + rdlen. Both are now tainted.
    2051        isc_buffer_setactive(&j->it.source, rdlen);
    2052        dns_rdata_reset(&j->it.rdata);
    	    17. lower_bounds: Checking lower bounds of unsigned scalar j->it.source.active by taking the true branch of j->it.source.active > j->it.source.current.

    CID 316506 (#1 of 1): Untrusted loop bound (TAINTED_SCALAR)
    18. tainted_data: Passing tainted expression j->it.source.active to dns_rdata_fromwire, which uses it as a loop boundary. [show details]
    	    Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
    2053        CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass, rdtype, &j->it.source,
    2054                                 &j->it.dctx, 0, &j->it.target));

lib/dns/journal.c

@@ -2043,6 +2043,14 @@ read_one_rr(dns_journal_t *j) {
 	ttl = isc_buffer_getuint32(&j->it.source);
 	rdlen = isc_buffer_getuint16(&j->it.source);
 
+	if (rdlen > DNS_RDATA_MAXLENGTH) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: impossible rdlen "
+			      "(%u bytes)",
+			      j->filename, rdlen);
+		FAIL(ISC_R_FAILURE);
+	}
+
 	/*
 	 * Parse the rdata.
 	 */