Skip to content

Commit f97486e

Browse files
committed
CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
of properties from accessing random memory.
1 parent 586f128 commit f97486e

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

Diff for: src/cdf.c

+8-2
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@
3535
#include "file.h"
3636

3737
#ifndef lint
38-
FILE_RCSID("@(#)$File: cdf.c,v 1.58 2014/05/13 16:41:06 christos Exp $")
38+
FILE_RCSID("@(#)$File: cdf.c,v 1.59 2014/05/14 23:22:48 christos Exp $")
3939
#endif
4040

4141
#include <assert.h>
@@ -827,6 +827,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
827827
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
828828
if (inp[i].pi_type & CDF_VECTOR) {
829829
nelements = CDF_GETUINT32(q, 1);
830+
if (nelements == 0) {
831+
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
832+
goto out;
833+
}
830834
o = 2;
831835
} else {
832836
nelements = 1;
@@ -901,7 +905,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
901905
}
902906
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
903907
nelements));
904-
for (j = 0; j < nelements; j++, i++) {
908+
for (j = 0; j < nelements && i < sh.sh_properties;
909+
j++, i++)
910+
{
905911
uint32_t l = CDF_GETUINT32(q, o);
906912
inp[i].pi_str.s_len = l;
907913
inp[i].pi_str.s_buf = (const char *)

0 commit comments

Comments
 (0)