|
 |
0233e9 |
From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001
|
|
|
0233e9 |
From: Stanislav Malyshev <stas@php.net>
|
|
|
0233e9 |
Date: Mon, 26 May 2014 17:42:18 -0700
|
|
|
0233e9 |
Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
|
|
|
0233e9 |
|
|
|
0233e9 |
Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
|
|
|
0233e9 |
---
|
|
|
0233e9 |
ext/fileinfo/libmagic/cdf.c | 8 +++++++-
|
|
|
0233e9 |
1 file changed, 7 insertions(+), 1 deletion(-)
|
|
|
0233e9 |
|
|
|
0233e9 |
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
|
|
|
0233e9 |
index 8dacd2f..4712e84 100644
|
|
|
0233e9 |
--- a/src/cdf.c
|
|
|
0233e9 |
+++ b/src/cdf.c
|
|
|
83d9a8 |
@@ -810,6 +810,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
|
|
0233e9 |
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
|
|
|
0233e9 |
if (inp[i].pi_type & CDF_VECTOR) {
|
|
|
0233e9 |
nelements = CDF_GETUINT32(q, 1);
|
|
|
0233e9 |
+ if (nelements == 0) {
|
|
|
0233e9 |
+ DPRINTF(("CDF_VECTOR with nelements == 0\n"));
|
|
|
0233e9 |
+ goto out;
|
|
|
0233e9 |
+ }
|
|
|
0233e9 |
o = 2;
|
|
|
0233e9 |
} else {
|
|
|
0233e9 |
nelements = 1;
|
|
|
83d9a8 |
@@ -884,7 +888,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
|
|
0233e9 |
}
|
|
|
0233e9 |
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
|
|
|
0233e9 |
nelements));
|
|
|
0233e9 |
- for (j = 0; j < nelements; j++, i++) {
|
|
|
0233e9 |
+ for (j = 0; j < nelements && i < sh.sh_properties;
|
|
|
0233e9 |
+ j++, i++)
|
|
|
0233e9 |
+ {
|
|
|
0233e9 |
uint32_t l = CDF_GETUINT32(q, o);
|
|
|
0233e9 |
inp[i].pi_str.s_len = l;
|
|
|
0233e9 |
inp[i].pi_str.s_buf = (const char *)
|
|
|
0233e9 |
--
|
|
|
0233e9 |
1.9.2
|
|
|
0233e9 |
|