Subject: The cdf_read_property_info function does not properly validate a stream offset
ID: CVE-2014-3487
Author: Christos Zoulas <christos@zoulas.com>
Date: Mon Jun 9 13:04:37 2014 +0000
Origin:
    commit 93e063ee374b6a75729df9e7201fb511e47e259d
Debian-Author: Holger Levsen <holger@debian.org>
Comment:
 made apply cleanly based on [origin]
Reviewed-By: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Last-Update: 2014-09-07

    Add missing check offset test (Francisco Alonso, Jan Kaluza at RedHat)

--- a/src/cdf.c
+++ b/src/cdf.c
@@ -802,7 +802,11 @@
 	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
 		goto out;
 	for (i = 0; i < sh.sh_properties; i++) {
-		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
+		size_t tail = (i << 1) + 1;
+		if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
+		    __LINE__) == -1)
+			goto out;
+		size_t ofs = CDF_GETUINT32(p, tail);
 		q = (const uint8_t *)(const void *)
 		    ((const char *)(const void *)p + ofs
 		    - 2 * sizeof(uint32_t));