From f6dd8461e4869877172667f27c9e90510db3d635 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 25 Oct 2019 09:33:21 +0200
Subject: [PATCH] Resolves: CVE-2019-18218 - fix heap-based buffer overflow in
 cdf_read_property_info()

---
 file-5.37-CVE-2019-18218.patch | 52 ++++++++++++++++++++++++++++++++++
 file.spec                      |  8 +++++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 file-5.37-CVE-2019-18218.patch

diff --git a/file-5.37-CVE-2019-18218.patch b/file-5.37-CVE-2019-18218.patch
new file mode 100644
index 0000000..89b9bde
--- /dev/null
+++ b/file-5.37-CVE-2019-18218.patch
@@ -0,0 +1,52 @@
+From f73ad90e797824569008a054bea6c8215883a3a0 Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <christos@zoulas.com>
+Date: Mon, 26 Aug 2019 14:31:39 +0000
+Subject: [PATCH] Limit the number of elements in a vector (found by oss-fuzz)
+
+Upstream-commit: 46a8443f76cec4b41ec736eca396984c74664f84
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/cdf.c | 7 +++----
+ src/cdf.h | 1 +
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/cdf.c b/src/cdf.c
+index 556a3ff..8bb0a6d 100644
+--- a/src/cdf.c
++++ b/src/cdf.c
+@@ -1013,8 +1013,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ 				goto out;
+ 			}
+ 			nelements = CDF_GETUINT32(q, 1);
+-			if (nelements == 0) {
+-				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++			if (nelements > CDF_ELEMENT_LIMIT || nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == %"
++				    SIZE_T_FORMAT "u\n", nelements));
+ 				goto out;
+ 			}
+ 			slen = 2;
+@@ -1056,8 +1057,6 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ 					goto out;
+ 				inp += nelem;
+ 			}
+-			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+-			    nelements));
+ 			for (j = 0; j < nelements && i < sh.sh_properties;
+ 			    j++, i++)
+ 			{
+diff --git a/src/cdf.h b/src/cdf.h
+index 2f7e554..0505666 100644
+--- a/src/cdf.h
++++ b/src/cdf.h
+@@ -48,6 +48,7 @@
+ typedef int32_t cdf_secid_t;
+ 
+ #define CDF_LOOP_LIMIT					10000
++#define CDF_ELEMENT_LIMIT				100000
+ 
+ #define CDF_SECID_NULL					0
+ #define CDF_SECID_FREE					-1
+-- 
+2.20.1
+
diff --git a/file.spec b/file.spec
index 3927af5..dd86adc 100644
--- a/file.spec
+++ b/file.spec
@@ -15,7 +15,7 @@
 Summary: A utility for determining file types
 Name: file
 Version: 5.37
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: BSD
 Source0: ftp://ftp.astron.com/pub/file/file-%{version}.tar.gz
 
@@ -29,6 +29,9 @@ Patch2: file-5.04-volume_key.patch
 # fix double free on read error (#1685217)
 Patch14: file-5.37-double-free.patch
 
+# fix heap-based buffer overflow in cdf_read_property_info() (CVE-2019-18218)
+Patch15: file-5.37-CVE-2019-18218.patch
+
 URL: http://www.darwinsys.com/file/
 Requires: file-libs = %{version}-%{release}
 BuildRequires: zlib-devel
@@ -203,6 +206,9 @@ cd %{py3dir}
 %endif
 
 %changelog
+* Fri Oct 25 2019 Kamil Dudka <kdudka@redhat.com> - 5.37-8
+- fix heap-based buffer overflow in cdf_read_property_info() (CVE-2019-18218)
+
 * Mon Oct 14 2019 Kamil Dudka <kdudka@redhat.com> - 5.37-7
 - remove the python2-magic subpackage on f32+ (#1761223)