Permalink
Browse files

CVE-2014-0207: Prevent 0 element vectors and vectors longer than the …

…number

of properties from accessing random memory.
  • Loading branch information...
zoulasc committed May 21, 2014
1 parent 586f128 commit f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
Showing with 8 additions and 2 deletions.
  1. +8 −2 src/cdf.c
View
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.58 2014/05/13 16:41:06 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.59 2014/05/14 23:22:48 christos Exp $")
#endif
#include <assert.h>
@@ -827,6 +827,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
if (inp[i].pi_type & CDF_VECTOR) {
nelements = CDF_GETUINT32(q, 1);
+ if (nelements == 0) {
+ DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+ goto out;
+ }
o = 2;
} else {
nelements = 1;
@@ -901,7 +905,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
- for (j = 0; j < nelements; j++, i++) {
+ for (j = 0; j < nelements && i < sh.sh_properties;
+ j++, i++)
+ {
uint32_t l = CDF_GETUINT32(q, o);
inp[i].pi_str.s_len = l;
inp[i].pi_str.s_buf = (const char *)

0 comments on commit f97486e

Please sign in to comment.