Subject: PR/599: Out of bounds read in cdf files
Origin: FILE5_30-18-g4e4e7609
Upstream-Author: Christos Zoulas <christos@zoulas.com>
Date: Fri Mar 17 19:50:22 2017 +0000

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -982,19 +982,26 @@
 			for (j = 0; j < nelements && i < sh.sh_properties;
 			    j++, i++)
 			{
-				uint32_t l = CDF_GETUINT32(q, o);
+				uint32_t l;
+
+				o4 += sizeof(uint32_t);
+				if (q + o >= e || q + o4 >= e)
+					goto out;
+
+				l = CDF_GETUINT32(q, o);
 				inp[i].pi_str.s_len = l;
-				inp[i].pi_str.s_buf = (const char *)
-				    (const void *)(&q[o4 + sizeof(l)]);
+				inp[i].pi_str.s_buf = CAST(const char *,
+				    CAST(const void *, &q[o4]));
+
 				DPRINTF(("l = %d, r = %" SIZE_T_FORMAT
 				    "u, s = %s\n", l,
 				    CDF_ROUND(l, sizeof(l)),
 				    inp[i].pi_str.s_buf));
+
 				if (l & 1)
 					l++;
+
 				o += l >> 1;
-				if (q + o >= e)
-					goto out;
 				o4 = o * sizeof(uint32_t);
 			}
 			i--;