| cdf_read_property_info in cdf.c in file through 5.37 does not restrict the |
| number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte |
| out-of-bounds write). |
| |
| CVE: CVE-2019-18218 |
| Upstream-Status: Backport |
| Signed-off-by: Ross Burton <ross.burton@intel.com> |
| |
| From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 |
| From: Christos Zoulas <christos@zoulas.com> |
| Date: Mon, 26 Aug 2019 14:31:39 +0000 |
| Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) |
| |
| --- |
| src/cdf.c | 9 ++++----- |
| src/cdf.h | 1 + |
| 2 files changed, 5 insertions(+), 5 deletions(-) |
| |
| diff --git a/src/cdf.c b/src/cdf.c |
| index 9d6396742..bb81d6374 100644 |
| --- a/src/cdf.c |
| +++ b/src/cdf.c |
| @@ -1016,8 +1016,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
| goto out; |
| } |
| nelements = CDF_GETUINT32(q, 1); |
| - if (nelements == 0) { |
| - DPRINTF(("CDF_VECTOR with nelements == 0\n")); |
| + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { |
| + DPRINTF(("CDF_VECTOR with nelements == %" |
| + SIZE_T_FORMAT "u\n", nelements)); |
| goto out; |
| } |
| slen = 2; |
| @@ -1060,8 +1061,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, |
| goto out; |
| inp += nelem; |
| } |
| - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", |
| - nelements)); |
| for (j = 0; j < nelements && i < sh.sh_properties; |
| j++, i++) |
| { |
| diff --git a/src/cdf.h b/src/cdf.h |
| index 2f7e554b7..05056668f 100644 |
| --- a/src/cdf.h |
| +++ b/src/cdf.h |
| @@ -48,6 +48,7 @@ |
| typedef int32_t cdf_secid_t; |
| |
| #define CDF_LOOP_LIMIT 10000 |
| +#define CDF_ELEMENT_LIMIT 100000 |
| |
| #define CDF_SECID_NULL 0 |
| #define CDF_SECID_FREE -1 |