Subject: The cdf_count_chain function does not properly validate sector-count data
ID: CVE-2014-3480
Author: Christos Zoulas <christos@zoulas.com>
Date: Wed Jun 4 17:23:19 2014 +0000
Origin:
    commit 40bade80cbe2af1d0b2cd0420cebd5d5905a2382
Debian-Author: Holger Levsen <holger@debian.org>
Comment:
 made apply cleanly based on [origin]
Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Last-Update: 2014-09-07

    Fix incorrect bounds check for sector count. (Francisco Alonso and Jan Kaluza
    at RedHat)

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -460,7 +460,8 @@
 cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
 {
 	size_t i, j;
-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
+	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
+	    / sizeof(maxsector));
 
 	DPRINTF(("Chain:"));
 	for (j = i = 0; sid >= 0; i++, j++) {
@@ -470,8 +471,8 @@
 			errno = EFTYPE;
 			return (size_t)-1;
 		}
-		if (sid > maxsector) {
-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
+		if (sid >= maxsector) {
+			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
 			errno = EFTYPE;
 			return (size_t)-1;
 		}