Browse Source

Cherry-pick commit to restrict the number of CDF_VECTOR elements. Closes: #942830 [CVE-2019-18218]

Christoph Biedl 4 years ago
parent
commit
054940e842

+ 38 - 0
debian/patches/cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch

@@ -0,0 +1,38 @@
+Subject: Limit the number of elements in a vector (found by oss-fuzz)
+Origin: FILE5_37-67-g46a8443f <https://github.com/file/file/commit/FILE5_37-67-g46a8443f>
+Upstream-Author: Christos Zoulas <christos@zoulas.com>
+Date: Mon Aug 26 14:31:39 2019 +0000
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -1013,8 +1013,9 @@
+ 				goto out;
+ 			}
+ 			nelements = CDF_GETUINT32(q, 1);
+-			if (nelements == 0) {
+-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == %"
++				    SIZE_T_FORMAT "u\n", nelements));
+ 				goto out;
+ 			}
+ 			slen = 2;
+@@ -1056,8 +1057,6 @@
+ 					goto out;
+ 				inp += nelem;
+ 			}
+-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+-			    nelements));
+ 			for (j = 0; j < nelements && i < sh.sh_properties;
+ 			    j++, i++)
+ 			{
+--- a/src/cdf.h
++++ b/src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT					10000
++#define CDF_ELEMENT_LIMIT				100000
+ 
+ #define CDF_SECID_NULL					0
+ #define CDF_SECID_FREE					-1

+ 1 - 0
debian/patches/series

@@ -6,6 +6,7 @@ cherry-pick.FILE5_37-47-g62de35af.disable-gem-gdos-fonts-for-now-needs-to-be-str
 cherry-pick.FILE5_37-50-g2a1bb655.always-support-the-no-sandbox-option.patch
 cherry-pick.FILE5_37-54-g119cc185.add-lzma-decompression-support.patch
 cherry-pick.FILE5_37-55-gb259a07e.add-lzma-and-bzip-built-in-decompression-support.patch
+cherry-pick.FILE5_37-67-g46a8443f.limit-the-number-of-elements-in-a-vector-found-by-oss-fuzz.patch
 
 # patches that should go upstream