| From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 |
| From: Christos Zoulas <christos@zoulas.com> |
| Date: Mon, 26 Aug 2019 14:31:39 +0000 |
| Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) |
| |
| Fixes CVE-2019-18218 |
| |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| src/cdf.c | 9 ++++----- |
| src/cdf.h | 1 + |
| 2 files changed, 5 insertions(+), 5 deletions(-) |
| |
| diff --git a/src/cdf.c b/src/cdf.c |
| index 9d639674..bb81d637 100644 |
| --- a/src/cdf.c |
| +++ b/src/cdf.c |
| @@ -35,7 +35,7 @@ |
| #include "file.h" |
| |
| #ifndef lint |
| -FILE_RCSID("@(#)$File: cdf.c,v 1.115 2019/08/23 14:29:14 christos Exp $") |
| +FILE_RCSID("@(#)$File: cdf.c,v 1.116 2019/08/26 14:31:39 christos Exp $") |
| #endif |
| |
| #include <assert.h> |
| @@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
| goto out; |
| } |
| nelements = CDF_GETUINT32(q, 1); |
| - if (nelements == 0) { |
| - DPRINTF(("CDF_VECTOR with nelements == 0\n")); |
| + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { |
| + DPRINTF(("CDF_VECTOR with nelements == %" |
| + SIZE_T_FORMAT "u\n", nelements)); |
| goto out; |
| } |
| slen = 2; |
| @@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
| goto out; |
| inp += nelem; |
| } |
| - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", |
| - nelements)); |
| for (j = 0; j < nelements && i < sh.sh_properties; |
| j++, i++) |
| { |
| diff --git a/src/cdf.h b/src/cdf.h |
| index 2f7e554b..05056668 100644 |
| --- a/src/cdf.h |
| +++ b/src/cdf.h |
| @@ -48,6 +48,7 @@ |
| typedef int32_t cdf_secid_t; |
| |
| #define CDF_LOOP_LIMIT 10000 |
| +#define CDF_ELEMENT_LIMIT 100000 |
| |
| #define CDF_SECID_NULL 0 |
| #define CDF_SECID_FREE -1 |
| -- |
| 2.20.1 |
| |
