From: Christos Zoulas <christos@zoulas.com>
Date: Mon, 9 Jun 2014 13:04:37 +0000 (+0000)
Subject: Add missing check offset test (Francisco Alonso, Jan Kaluza at RedHat)
X-Git-Tag: FILE5_19~4
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=93e063ee374b6a75729df9e7201fb511e47e259d;p=file

Add missing check offset test (Francisco Alonso, Jan Kaluza at RedHat)
---

diff --git a/src/cdf.c b/src/cdf.c
index 0bfb31a2..c258e82f 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.61 2014/06/04 17:23:19 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.62 2014/06/04 17:26:07 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -816,7 +816,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
 		goto out;
 	for (i = 0; i < sh.sh_properties; i++) {
-		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
+		size_t tail = (i << 1) + 1;
+		if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
+		    __LINE__) == -1)
+			goto out;
+		size_t ofs = CDF_GETUINT32(p, tail);
 		q = (const uint8_t *)(const void *)
 		    ((const char *)(const void *)p + ofs
 		    - 2 * sizeof(uint32_t));