From f73ad90e797824569008a054bea6c8215883a3a0 Mon Sep 17 00:00:00 2001

From: Christos Zoulas <christos@zoulas.com>

Date: Mon, 26 Aug 2019 14:31:39 +0000

Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)

Upstream-commit: 46a8443f76cec4b41ec736eca396984c74664f84

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 src/cdf.c | 7 +++----

 src/cdf.h | 1 +

 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/cdf.c b/src/cdf.c

index 556a3ff..8bb0a6d 100644

--- a/src/cdf.c

+++ b/src/cdf.c

@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,

 				goto out;

 			}

 			nelements = CDF_GETUINT32(q, 1);

-			if (nelements == 0) {

-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));

+			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {

+				DPRINTF(("CDF_VECTOR with nelements == %"

+				    SIZE_T_FORMAT "u\n", nelements));

 				goto out;

 			}

 			slen = 2;

@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,

 					goto out;

 				inp += nelem;

 			}

-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",

-			    nelements));

 			for (j = 0; j < nelements && i < sh.sh_properties;

 			    j++, i++)

 			{

diff --git a/src/cdf.h b/src/cdf.h

index 2f7e554..0505666 100644

--- a/src/cdf.h

+++ b/src/cdf.h

@@ -48,6 +48,7 @@

 typedef int32_t cdf_secid_t;

 #define CDF_LOOP_LIMIT					10000

+#define CDF_ELEMENT_LIMIT				100000

 #define CDF_SECID_NULL					0

 #define CDF_SECID_FREE					-1

-- 

2.20.1