Skip to content
Permalink
Browse files

Limit the number of elements in a vector (found by oss-fuzz)

  • Loading branch information...
zoulasc committed Aug 26, 2019
1 parent 06de62c commit 46a8443f76cec4b41ec736eca396984c74664f84
Showing with 5 additions and 5 deletions.
  1. +4 −5 src/cdf.c
  2. +1 −0 src/cdf.h
@@ -35,7 +35,7 @@
#include "file.h"

#ifndef lint
FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $")
FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $")
#endif

#include <assert.h>
@@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
}
nelements = CDF_GETUINT32(q, 1);
if (nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == %"
SIZE_T_FORMAT "u\n", nelements));
goto out;
}
slen = 2;
@@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
goto out;
inp += nelem;
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{
@@ -48,6 +48,7 @@
typedef int32_t cdf_secid_t;

#define CDF_LOOP_LIMIT 10000
#define CDF_ELEMENT_LIMIT 100000

#define CDF_SECID_NULL 0
#define CDF_SECID_FREE -1

0 comments on commit 46a8443

Please sign in to comment.
You can’t perform that action at this time.