Subject: Don't try to read past the end of the properties, found by oss-fuzz
Origin: FILE5_30-42-gf0bcdd07
Upstream-Author: Christos Zoulas <christos@zoulas.com>
Date: Sat Apr 8 20:38:46 2017 +0000

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -835,6 +835,10 @@
 	size_t ofs;
 	const uint8_t *q;
 
+	if (p >= e) {
+		DPRINTF(("Past end %p < %p\n", e, p));
+		return NULL;
+	}
 	if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
 	    __LINE__) == -1)
 		return NULL;
@@ -945,7 +949,7 @@
 	*count += sh.sh_properties;
 	p = CAST(const uint8_t *, cdf_offset(sst->sst_tab, offs + sizeof(sh)));
 	e = CAST(const uint8_t *, cdf_offset(shp, sh.sh_len));
-	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+	if (p >= e || cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
 		goto out;
 
 	for (i = 0; i < sh.sh_properties; i++) {