diff options
author | Nikias Bassen | 2017-02-10 05:01:09 +0100 |
---|---|---|
committer | Nikias Bassen | 2017-02-10 05:01:09 +0100 |
commit | 72f7cf803635a127c63bcd37ab35ced28636410a (patch) | |
tree | 909d15ea8bc3a70fe92b95d7754f5dffb3d79d0a | |
parent | 8e4b7a591c6a31b960d6e9e769c8efe15751df97 (diff) | |
download | libplist-72f7cf803635a127c63bcd37ab35ced28636410a.tar.gz libplist-72f7cf803635a127c63bcd37ab35ced28636410a.tar.bz2 |
bplist: Fix integer overflow resulting in OOB heap buffer read
Credit to OSS-Fuzz
-rw-r--r-- | src/bplist.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c index da7bb63..0fd149e 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -825,6 +825,11 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t * return; } + if (num_objects * offset_size < num_objects) { + PLIST_BIN_ERR("integer overflow when calculating offset table size (too many objects)\n"); + return; + } + if (offset_table + num_objects * offset_size > end_data) { PLIST_BIN_ERR("offset table points outside of valid range\n"); return; |