Fix CVE-2014-0238

debian/patches/CVE-2014-0238.patch

@@ -0,0 +1,40 @@
+Subject: The cdf_read_property_info function allows remote attackers to cause a denial of service
+ID: CVE-2014-0238
+Author: Christos Zoulas <christos@zoulas.com>
+Date: Wed May 21 13:04:38 2014 +0000
+Origin:
+    commit f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
+Debian-Author: Holger Levsen <holger@debian.org>
+Comment:
+    made apply cleanly based on [origin]
+Comment-2: Upstream's commit message refers to a different CVE ID
+Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
+Last-Update: 2014-09-07
+
+    CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
+    of properties from accessing random memory.
+
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -813,6 +813,10 @@
+ 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
+ 		if (inp[i].pi_type & CDF_VECTOR) {
+ 			nelements = CDF_GETUINT32(q, 1);
++			if (nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++				goto out;
++			}
+ 			o = 2;
+ 		} else {
+ 			nelements = 1;
+@@ -887,7 +891,9 @@
+ 			}
+ 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+ 			    nelements));
+-			for (j = 0; j < nelements; j++, i++) {
++			for (j = 0; j < nelements && i < sh.sh_properties;
++			    j++, i++)
++			{
+ 				uint32_t l = CDF_GETUINT32(q, o);
+ 				inp[i].pi_str.s_len = l;
+ 				inp[i].pi_str.s_buf = (const char *)

debian/patches/series

@@ -7,3 +7,4 @@ CVE-2014-2270.patch
 DSA-2873-1-regression.patch
 CVE-2014-0207.patch
 CVE-2014-0237.patch
+CVE-2014-0238.patch