Subject: The cdf_read_property_info function allows remote attackers to cause a denial of service
ID: CVE-2014-0238
Author: Christos Zoulas <christos@zoulas.com>
Date: Wed May 21 13:04:38 2014 +0000
Origin:
    commit f97486ef5dc3e8735440edc4fc8808c63e1a3ef0
Debian-Author: Holger Levsen <holger@debian.org>
Comment:
    made apply cleanly based on [origin]
Comment-2: Upstream's commit message refers to a different CVE ID
Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Last-Update: 2014-09-07

    CVE-2014-0207: Prevent 0 element vectors and vectors longer than the number
    of properties from accessing random memory.

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -813,6 +813,10 @@
 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_GETUINT32(q, 1);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -887,7 +891,9 @@
 			}
 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
 			    nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties;
+			    j++, i++)
+			{
 				uint32_t l = CDF_GETUINT32(q, o);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)