diff options
author | Filippo Bigarella | 2016-11-10 01:34:02 +0100 |
---|---|---|
committer | Nikias Bassen | 2016-11-10 01:34:02 +0100 |
commit | 23fe533a0f0f34e9cb1d2e328107958645d54ed1 (patch) | |
tree | 5c04c5313f57d5dddf8b5a9ca8ef0d1a29aa2ec6 | |
parent | a4ca24c4fe316bc102b9fa52f808d206ab8cd24b (diff) | |
download | libplist-23fe533a0f0f34e9cb1d2e328107958645d54ed1.tar.gz libplist-23fe533a0f0f34e9cb1d2e328107958645d54ed1.tar.bz2 |
bplist: Make sure to error out if allocation of `used_indexes` buffer in plist_from_bin() fails
If the allocation fails, a lot of bad things can happen so we check the
result and return accordingly. We also check that the multiplication used
to calculate the buffer size doesn't overflow. Otherwise this could lead
to an allocation of a very small buffer compared to what we need, ultimately
leading to arbitrary writes later on.
-rw-r--r-- | src/bplist.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c index be82b4e..49d29c5 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -742,6 +742,9 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t * if (offset_table + num_objects * offset_size >= plist_bin + length) return; + if (sizeof(uint32_t) * num_objects < num_objects) + return; + struct bplist_data bplist; bplist.data = plist_bin; bplist.size = length; @@ -752,6 +755,9 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t * bplist.level = 0; bplist.used_indexes = (uint32_t*)malloc(sizeof(uint32_t) * num_objects); + if (!bplist.used_indexes) + return; + *plist = parse_bin_node_at_index(&bplist, root_object); free(bplist.used_indexes); |