Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS

Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0

diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 7efa43e00fa546433d42373aaf6d55a6dc506147..ffde3f4dcfb4c554845249aa476fccbc20d72285 100644 (file)
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
                if (inp[i].pi_type & CDF_VECTOR) {
                        nelements = CDF_GETUINT32(q, 1);
+                       if (nelements == 0) {
+                               DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+                               goto out;
+                       }
                        o = 2;
                } else {
                        nelements = 1;
@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                        }
                        DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
                            nelements));
-                       for (j = 0; j < nelements; j++, i++) {
+                       for (j = 0; j < nelements && i < sh.sh_properties; 
+                           j++, i++) 
+                       {
                                uint32_t l = CDF_GETUINT32(q, o);
                                inp[i].pi_str.s_len = l;
                                inp[i].pi_str.s_buf = (const char *)