mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-11-20 05:37:34 -05:00
56 lines
1.6 KiB
Diff
56 lines
1.6 KiB
Diff
|
Fix CVE-2019-18218:
|
||
|
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218
|
||
|
|
||
|
Patch copied from upstream source repository:
|
||
|
|
||
|
https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84
|
||
|
|
||
|
From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001
|
||
|
From: Christos Zoulas <christos@zoulas.com>
|
||
|
Date: Mon, 26 Aug 2019 14:31:39 +0000
|
||
|
Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
|
||
|
|
||
|
---
|
||
|
src/cdf.c | 9 ++++-----
|
||
|
src/cdf.h | 1 +
|
||
|
2 files changed, 5 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/src/cdf.c b/src/cdf.c
|
||
|
index 9d6396742..bb81d6374 100644
|
||
|
--- a/src/cdf.c
|
||
|
+++ b/src/cdf.c
|
||
|
@@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
||
|
goto out;
|
||
|
}
|
||
|
nelements = CDF_GETUINT32(q, 1);
|
||
|
- if (nelements == 0) {
|
||
|
- DPRINTF(("CDF_VECTOR with nelements == 0\n"));
|
||
|
+ if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
|
||
|
+ DPRINTF(("CDF_VECTOR with nelements == %"
|
||
|
+ SIZE_T_FORMAT "u\n", nelements));
|
||
|
goto out;
|
||
|
}
|
||
|
slen = 2;
|
||
|
@@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
||
|
goto out;
|
||
|
inp += nelem;
|
||
|
}
|
||
|
- DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
|
||
|
- nelements));
|
||
|
for (j = 0; j < nelements && i < sh.sh_properties;
|
||
|
j++, i++)
|
||
|
{
|
||
|
diff --git a/src/cdf.h b/src/cdf.h
|
||
|
index 2f7e554b7..05056668f 100644
|
||
|
--- a/src/cdf.h
|
||
|
+++ b/src/cdf.h
|
||
|
@@ -48,6 +48,7 @@
|
||
|
typedef int32_t cdf_secid_t;
|
||
|
|
||
|
#define CDF_LOOP_LIMIT 10000
|
||
|
+#define CDF_ELEMENT_LIMIT 100000
|
||
|
|
||
|
#define CDF_SECID_NULL 0
|
||
|
#define CDF_SECID_FREE -1
|