mirror of
https://github.com/php/php-src.git
synced 2024-09-25 11:57:26 +00:00
Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS
Upstream fix: f97486ef5d
This commit is contained in:
parent
44be7b7f27
commit
d77ea459bd
@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
||||
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
|
||||
if (inp[i].pi_type & CDF_VECTOR) {
|
||||
nelements = CDF_GETUINT32(q, 1);
|
||||
if (nelements == 0) {
|
||||
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
|
||||
goto out;
|
||||
}
|
||||
o = 2;
|
||||
} else {
|
||||
nelements = 1;
|
||||
@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
|
||||
}
|
||||
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
|
||||
nelements));
|
||||
for (j = 0; j < nelements; j++, i++) {
|
||||
for (j = 0; j < nelements && i < sh.sh_properties;
|
||||
j++, i++)
|
||||
{
|
||||
uint32_t l = CDF_GETUINT32(q, o);
|
||||
inp[i].pi_str.s_len = l;
|
||||
inp[i].pi_str.s_buf = (const char *)
|
||||
|
Loading…
Reference in New Issue
Block a user