CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number

of properties from accessing random memory.

diff --git a/src/cdf.c b/src/cdf.c
index 48a00ec47cf41c4a2f9da8ee1adca05f29aba363..375406c3789e8154b5eec38efd3c3ad7492ed342 100644 (file)
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.58 2014/05/13 16:41:06 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.59 2014/05/14 23:22:48 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -827,6 +827,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
                if (inp[i].pi_type & CDF_VECTOR) {
                        nelements = CDF_GETUINT32(q, 1);
+                       if (nelements == 0) {
+                               DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+                               goto out;
+                       }
                        o = 2;
                } else {
                        nelements = 1;
@@ -901,7 +905,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
                        }
                        DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
                            nelements));
-                       for (j = 0; j < nelements; j++, i++) {
+                       for (j = 0; j < nelements && i < sh.sh_properties;
+                           j++, i++)
+                       {
                                uint32_t l = CDF_GETUINT32(q, o);
                                inp[i].pi_str.s_len = l;
                                inp[i].pi_str.s_buf = (const char *)