Subject: The cdf_read_short_sector function allows remote attackers to cause a denial of service
ID: CVE-2014-0207
Author: Christos Zoulas <christos@zoulas.com>
Date: Mon May 5 16:11:21 2014 +0000
Origin:
    commit 6d209c1c489457397a5763bca4b28e43aac90391
Debian-Author: Holger Levsen <holger@debian.org>
Comment:
 made apply cleanly based on [origin], removed all modifications to
 src/readcdf.c (for CVE-2012-1571) as the problematic code was
 introduced later.
Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Last-Update: 2014-09-07

    Apply patches from file-CVE-2012-1571.patch
    From Francisco Alonso Espejo:
        file < 5.18/git version can be made to crash when checking some
        corrupt CDF files (Using an invalid cdf_read_short_sector size)
        The problem I found here, is that in most situations (if
        h_short_sec_size_p2 > 8) because the blocksize is 512 and normal
        values are 06 which means reading 64 bytes.As long as the check
        for the block size copy is not checked properly (there's an assert
        that makes wrong/invalid assumptions)

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -355,10 +355,10 @@
 	size_t ss = CDF_SHORT_SEC_SIZE(h);
 	size_t pos = CDF_SHORT_SEC_POS(h, id);
 	assert(ss == len);
-	if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+	if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
 		DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
 		    SIZE_T_FORMAT "u\n",
-		    pos, CDF_SEC_SIZE(h) * sst->sst_len));
+		    pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
 		return -1;
 	}
 	(void)memcpy(((char *)buf) + offs,