Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS

Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
author: Stanislav Malyshev <stas@php.net> 2014-05-26 17:42:18 -0700
committer: Stanislav Malyshev <stas@php.net> 2014-07-18 15:50:58 -0700
commit: d77ea459bd33a5267475a809a86f30a1d89ef0c2 (patch)
tree: dd05269d09ff481b6ea7e9b3f55b79dc40dacded
parent: 44be7b7f276e3536395ab22fd67d11a31f8dad79 (diff)
download: php-git-d77ea459bd33a5267475a809a86f30a1d89ef0c2.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 7efa43e00f..ffde3f4dcf 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_GETUINT32(q, 1);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 			}
 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
 			    nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties; 
+			    j++, i++) 
+			{
 				uint32_t l = CDF_GETUINT32(q, o);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)
author	Stanislav Malyshev <stas@php.net>	2014-05-26 17:42:18 -0700
committer	Stanislav Malyshev <stas@php.net>	2014-07-18 15:50:58 -0700
commit	d77ea459bd33a5267475a809a86f30a1d89ef0c2 (patch)
tree	dd05269d09ff481b6ea7e9b3f55b79dc40dacded
parent	44be7b7f276e3536395ab22fd67d11a31f8dad79 (diff)
download	php-git-d77ea459bd33a5267475a809a86f30a1d89ef0c2.tar.gz