Fix CVE-2019-18218: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18218 Patch copied from upstream source repository: https://github.com/file/file/commit/46a8443f76cec4b41ec736eca396984c74664f84 From 46a8443f76cec4b41ec736eca396984c74664f84 Mon Sep 17 00:00:00 2001 From: Christos Zoulas Date: Mon, 26 Aug 2019 14:31:39 +0000 Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz) --- src/cdf.c | 9 ++++----- src/cdf.h | 1 + 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/cdf.c b/src/cdf.c index 9d6396742..bb81d6374 100644 --- a/src/cdf.c +++ b/src/cdf.c @@ -1027,8 +1027,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; } nelements = CDF_GETUINT32(q, 1); - if (nelements == 0) { - DPRINTF(("CDF_VECTOR with nelements == 0\n")); + if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == %" + SIZE_T_FORMAT "u\n", nelements)); goto out; } slen = 2; @@ -1070,8 +1071,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, goto out; inp += nelem; } - DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", - nelements)); for (j = 0; j < nelements && i < sh.sh_properties; j++, i++) { diff --git a/src/cdf.h b/src/cdf.h index 2f7e554b7..05056668f 100644 --- a/src/cdf.h +++ b/src/cdf.h @@ -48,6 +48,7 @@ typedef int32_t cdf_secid_t; #define CDF_LOOP_LIMIT 10000 +#define CDF_ELEMENT_LIMIT 100000 #define CDF_SECID_NULL 0 #define CDF_SECID_FREE -1