Subject: The cdf_unpack_summary_info function allows remote attackers to cause a denial of service
ID: CVE-2014-0237
Author: Christos Zoulas <christos@zoulas.com>
Date: Tue May 6 18:20:39 2014 +0000
Origin:
    commit b8acc83781d5a24cc5101e525d15efe0482c280d
Debian-Author: Holger Levsen <holger@debian.org>
Comment:
    made apply cleanly based on [origin]
Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Last-Update: 2014-09-07

    Remove loop that kept reading the same offset (Jan Kaluza)

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -932,7 +932,7 @@
 cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
     cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
 {
-	size_t i, maxcount;
+	size_t maxcount;
 	const cdf_summary_info_header_t *si =
 	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
 	const cdf_section_declaration_t *sd =
@@ -947,21 +947,13 @@
 	ssi->si_os = CDF_TOLE2(si->si_os);
 	ssi->si_class = si->si_class;
 	cdf_swap_class(&ssi->si_class);
-	ssi->si_count = CDF_TOLE2(si->si_count);
+	ssi->si_count = CDF_TOLE4(si->si_count);
 	*count = 0;
 	maxcount = 0;
 	*info = NULL;
-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
-		if (i >= CDF_LOOP_LIMIT) {
-			DPRINTF(("Unpack summary info loop limit"));
-			errno = EFTYPE;
-			return -1;
-		}
-		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
-		    info, count, &maxcount) == -1) {
-			return -1;
-		}
-	}
+	if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
+	    count, &maxcount) == -1)
+		return -1;
 	return 0;
 }