Skip to content

Commit 46a8443

Browse files
committed
Limit the number of elements in a vector (found by oss-fuzz)
1 parent 06de62c commit 46a8443

File tree

2 files changed

+5
-5
lines changed

2 files changed

+5
-5
lines changed

Diff for: src/cdf.c

+4-5
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
#include "file.h"
3636

3737
#ifndef lint
38-
FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
38+
FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
3939
#endif
4040

4141
#include <assert.h>
@@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
10271027
goto out;
10281028
}
10291029
nelements = CDF_GETUINT32(q, 1);
1030-
if (nelements == 0) {
1031-
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
1030+
if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
1031+
DPRINTF(("CDF_VECTOR with nelements == %"
1032+
SIZE_T_FORMAT "u\n", nelements));
10321033
goto out;
10331034
}
10341035
slen = 2;
@@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
10701071
goto out;
10711072
inp += nelem;
10721073
}
1073-
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
1074-
nelements));
10751074
for (j = 0; j < nelements && i < sh.sh_properties;
10761075
j++, i++)
10771076
{

Diff for: src/cdf.h

+1
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@
4848
typedef int32_t cdf_secid_t;
4949

5050
#define CDF_LOOP_LIMIT 10000
51+
#define CDF_ELEMENT_LIMIT 100000
5152

5253
#define CDF_SECID_NULL 0
5354
#define CDF_SECID_FREE -1

0 commit comments

Comments
 (0)