From f5bbd744f55eb8398fa1fb983ac8cb3317438770 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Wed, 27 Apr 2022 19:30:00 +0100
Subject: [PATCH] wacom-usb: Fix a timeout when parsing very corrupt firmware

Fixes https://oss-fuzz.com/testcase-detail/5797345020739584
---
 plugins/wacom-usb/fu-wac-firmware.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/plugins/wacom-usb/fu-wac-firmware.c b/plugins/wacom-usb/fu-wac-firmware.c
index 78026dad4..014888656 100644
--- a/plugins/wacom-usb/fu-wac-firmware.c
+++ b/plugins/wacom-usb/fu-wac-firmware.c
@@ -19,6 +19,7 @@ struct _FuWacFirmware {
 G_DEFINE_TYPE(FuWacFirmware, fu_wac_firmware, FU_TYPE_FIRMWARE)
 
 #define FU_WAC_FIRMWARE_TOKENS_MAX 100000 /* lines */
+#define FU_WAC_FIRMWARE_SECTIONS_MAX 10
 
 typedef struct {
 	guint32 addr;
@@ -71,6 +72,16 @@ fu_wac_firmware_tokenize_cb(GString *token, guint token_idx, gpointer user_data,
 					    token->len);
 				return FALSE;
 			}
+
+			/* sanity check */
+			if (helper->header_infos->len > FU_WAC_FIRMWARE_SECTIONS_MAX) {
+				g_set_error(error,
+					    FWUPD_ERROR,
+					    FWUPD_ERROR_INTERNAL,
+					    "too many metadata sections: %u",
+					    helper->header_infos->len);
+				return FALSE;
+			}
 			if (!fu_firmware_strparse_uint4_safe(token->str,
 							     token->len,
 							     5,