| 1234567891011121314151617181920212223242526272829303132333435363738 |
- Subject: Limit the number of elements in a vector (found by oss-fuzz)
- Origin: FILE5_37-67-g46a8443f <https://github.com/file/file/commit/FILE5_37-67-g46a8443f>
- Upstream-Author: Christos Zoulas <christos@zoulas.com>
- Date: Mon Aug 26 14:31:39 2019 +0000
- --- a/src/cdf.c
- +++ b/src/cdf.c
- @@ -1013,8 +1013,9 @@
- goto out;
- }
- nelements = CDF_GETUINT32(q, 1);
- - if (nelements == 0) {
- - DPRINTF(("CDF_VECTOR with nelements == 0\n"));
- + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
- + DPRINTF(("CDF_VECTOR with nelements == %"
- + SIZE_T_FORMAT "u\n", nelements));
- goto out;
- }
- slen = 2;
- @@ -1056,8 +1057,6 @@
- goto out;
- inp += nelem;
- }
- - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
- - nelements));
- for (j = 0; j < nelements && i < sh.sh_properties;
- j++, i++)
- {
- --- a/src/cdf.h
- +++ b/src/cdf.h
- @@ -48,6 +48,7 @@
- typedef int32_t cdf_secid_t;
-
- #define CDF_LOOP_LIMIT 10000
- +#define CDF_ELEMENT_LIMIT 100000
-
- #define CDF_SECID_NULL 0
- #define CDF_SECID_FREE -1
|
