diff options
author | Christos Zoulas <christos@zoulas.com> | 2014-05-21 13:04:38 +0000 |
---|---|---|
committer | Christos Zoulas <christos@zoulas.com> | 2014-05-21 13:04:38 +0000 |
commit | 3e98e27a95e7f722d673ebcc971463048ac89a8b (patch) | |
tree | ac0a4f5723224d9b8d01a3210ab7dacffe345b52 /src/cdf.c | |
parent | 3c16fc95659af154a7002ec1bfe7d18d8ba575aa (diff) | |
download | file-git-3e98e27a95e7f722d673ebcc971463048ac89a8b.tar.gz |
CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
of properties from accessing random memory.
Diffstat (limited to 'src/cdf.c')
-rw-r--r-- | src/cdf.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -35,7 +35,7 @@ #include "file.h" #ifndef lint -FILE_RCSID("@(#)$File: cdf.c,v 1.59 2014/05/14 23:22:48 christos Exp $") +FILE_RCSID("@(#)$File: cdf.c,v 1.60 2014/05/21 13:04:38 christos Exp $") #endif #include <assert.h> @@ -827,6 +827,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_GETUINT32(q, 1); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; @@ -901,7 +905,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, } DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", nelements)); - for (j = 0; j < nelements; j++, i++) { + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { uint32_t l = CDF_GETUINT32(q, o); inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = (const char *) |