From 22736b7c56d678f142d5dd21f4996e5819507a2b Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Mon, 26 May 2014 17:42:18 -0700

Subject: [PATCH] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS

Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0

---

 ext/fileinfo/libmagic/cdf.c | 8 +++++++-

 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c

index 8dacd2f..4712e84 100644

--- a/ext/fileinfo/libmagic/cdf.c

+++ b/ext/fileinfo/libmagic/cdf.c

@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,

 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));

 		if (inp[i].pi_type & CDF_VECTOR) {

 			nelements = CDF_GETUINT32(q, 1);

+			if (nelements == 0) {

+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));

+				goto out;

+			}

 			o = 2;

 		} else {

 			nelements = 1;

@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,

 			}

 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",

 			    nelements));

-			for (j = 0; j < nelements; j++, i++) {

+			for (j = 0; j < nelements && i < sh.sh_properties; 

+			    j++, i++) 

+			{

 				uint32_t l = CDF_GETUINT32(q, o);

 				inp[i].pi_str.s_len = l;

 				inp[i].pi_str.s_buf = (const char *)

-- 

1.9.2