diff options
author | Stanislav Malyshev <stas@php.net> | 2014-05-26 17:42:18 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2014-07-18 15:50:58 -0700 |
commit | d77ea459bd33a5267475a809a86f30a1d89ef0c2 (patch) | |
tree | dd05269d09ff481b6ea7e9b3f55b79dc40dacded | |
parent | 44be7b7f276e3536395ab22fd67d11a31f8dad79 (diff) | |
download | php-git-d77ea459bd33a5267475a809a86f30a1d89ef0c2.tar.gz |
Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
-rw-r--r-- | ext/fileinfo/libmagic/cdf.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 7efa43e00f..ffde3f4dcf 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_GETUINT32(q, 1); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; @@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, } DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", nelements)); - for (j = 0; j < nelements; j++, i++) { + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { uint32_t l = CDF_GETUINT32(q, o); inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = (const char *) |