summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Filippo Bigarella2016-11-10 01:34:02 +0100
committerGravatar Nikias Bassen2016-11-10 01:34:02 +0100
commit23fe533a0f0f34e9cb1d2e328107958645d54ed1 (patch)
tree5c04c5313f57d5dddf8b5a9ca8ef0d1a29aa2ec6
parenta4ca24c4fe316bc102b9fa52f808d206ab8cd24b (diff)
downloadlibplist-23fe533a0f0f34e9cb1d2e328107958645d54ed1.tar.gz
libplist-23fe533a0f0f34e9cb1d2e328107958645d54ed1.tar.bz2
bplist: Make sure to error out if allocation of `used_indexes` buffer in plist_from_bin() fails
If the allocation fails, a lot of bad things can happen so we check the result and return accordingly. We also check that the multiplication used to calculate the buffer size doesn't overflow. Otherwise this could lead to an allocation of a very small buffer compared to what we need, ultimately leading to arbitrary writes later on.
-rw-r--r--src/bplist.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c
index be82b4e..49d29c5 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -742,6 +742,9 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
if (offset_table + num_objects * offset_size >= plist_bin + length)
return;
+ if (sizeof(uint32_t) * num_objects < num_objects)
+ return;
+
struct bplist_data bplist;
bplist.data = plist_bin;
bplist.size = length;
@@ -752,6 +755,9 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
bplist.level = 0;
bplist.used_indexes = (uint32_t*)malloc(sizeof(uint32_t) * num_objects);
+ if (!bplist.used_indexes)
+ return;
+
*plist = parse_bin_node_at_index(&bplist, root_object);
free(bplist.used_indexes);