summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2017-02-10 05:01:09 +0100
committerGravatar Nikias Bassen2017-02-10 05:01:09 +0100
commit72f7cf803635a127c63bcd37ab35ced28636410a (patch)
tree909d15ea8bc3a70fe92b95d7754f5dffb3d79d0a
parent8e4b7a591c6a31b960d6e9e769c8efe15751df97 (diff)
downloadlibplist-72f7cf803635a127c63bcd37ab35ced28636410a.tar.gz
libplist-72f7cf803635a127c63bcd37ab35ced28636410a.tar.bz2
bplist: Fix integer overflow resulting in OOB heap buffer read
Credit to OSS-Fuzz
-rw-r--r--src/bplist.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c
index da7bb63..0fd149e 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -825,6 +825,11 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
return;
}
+ if (num_objects * offset_size < num_objects) {
+ PLIST_BIN_ERR("integer overflow when calculating offset table size (too many objects)\n");
+ return;
+ }
+
if (offset_table + num_objects * offset_size > end_data) {
PLIST_BIN_ERR("offset table points outside of valid range\n");
return;