You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39 lines
1.3 KiB
39 lines
1.3 KiB
From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001 |
|
From: Stanislav Malyshev <stas@php.net> |
|
Date: Mon, 26 May 2014 17:42:18 -0700 |
|
Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS |
|
|
|
Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 |
|
--- |
|
ext/fileinfo/libmagic/cdf.c | 8 +++++++- |
|
1 file changed, 7 insertions(+), 1 deletion(-) |
|
|
|
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c |
|
index 8dacd2f..4712e84 100644 |
|
--- a/src/cdf.c |
|
+++ b/src/cdf.c |
|
@@ -810,6 +810,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
|
i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); |
|
if (inp[i].pi_type & CDF_VECTOR) { |
|
nelements = CDF_GETUINT32(q, 1); |
|
+ if (nelements == 0) { |
|
+ DPRINTF(("CDF_VECTOR with nelements == 0\n")); |
|
+ goto out; |
|
+ } |
|
o = 2; |
|
} else { |
|
nelements = 1; |
|
@@ -884,7 +888,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
|
} |
|
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", |
|
nelements)); |
|
- for (j = 0; j < nelements; j++, i++) { |
|
+ for (j = 0; j < nelements && i < sh.sh_properties; |
|
+ j++, i++) |
|
+ { |
|
uint32_t l = CDF_GETUINT32(q, o); |
|
inp[i].pi_str.s_len = l; |
|
inp[i].pi_str.s_buf = (const char *) |
|
-- |
|
1.9.2 |
|
|
|
|