From 3e98e27a95e7f722d673ebcc971463048ac89a8b Mon Sep 17 00:00:00 2001
From: Christos Zoulas <christos@zoulas.com>
Date: Wed, 21 May 2014 13:04:38 +0000
Subject: [PATCH] CVE-2014-0207: Prevent 0 element vectors and vectors longer
 than the number of properties from accessing random memory.

---
 src/cdf.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/cdf.c b/src/cdf.c
index 2049ac09..5a74451f 100644
--- a/src/cdf.c
+++ b/src/cdf.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.59 2014/05/14 23:22:48 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.60 2014/05/21 13:04:38 christos Exp $")
 #endif
 
 #include <assert.h>
@@ -827,6 +827,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_GETUINT32(q, 1);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -901,7 +905,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 			}
 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
 			    nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties;
+			    j++, i++)
+			{
 				uint32_t l = CDF_GETUINT32(q, o);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)
-- 
2.50.1