CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number

of properties from accessing random memory.

diff --git a/src/cdf.c b/src/cdf.c
index 2049ac096cb190d16dffaae654da09a7e9c74efa..5a74451f865182c1296adf7fb353bcf8e375482c 100644 (file)
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.59 2014/05/14 23:22:48 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.60 2014/05/21 13:04:38 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -827,6 +827,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
                if (inp[i].pi_type & CDF_VECTOR) {
                        nelements = CDF_GETUINT32(q, 1);
+                       if (nelements == 0) {
+                               DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+                               goto out;
+                       }
                        o = 2;
                } else {
                        nelements = 1;
@@ -901,7 +905,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                        }
                        DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
                            nelements));
-                       for (j = 0; j < nelements; j++, i++) {
+                       for (j = 0; j < nelements && i < sh.sh_properties;
+                           j++, i++)
+                       {
                                uint32_t l = CDF_GETUINT32(q, o);
                                inp[i].pi_str.s_len = l;
                                inp[i].pi_str.s_buf = (const char *)