made apply cleanly based on commit f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 Author: Christos Zoulas Date: Wed May 21 13:04:38 2014 +0000 CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number of properties from accessing random memory. diff --git a/src/cdf.c b/src/cdf.c index 48a00ec..375406c 100644 --- a/src/cdf.c +++ b/src/cdf.c @@ -813,6 +813,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_GETUINT32(q, 1); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; @@ -887,7 +887,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, } DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", nelements)); - for (j = 0; j < nelements; j++, i++) { + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { uint32_t l = CDF_GETUINT32(q, o); inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = (const char *)