diff options
| author |  Nikias Bassen | 2023-12-12 10:48:41 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2023-12-12 10:48:41 +0100 |
| commit | 8487d23fd2ab5683d631fd41e5f6a2f5a44d867a (patch) | |
| tree | 49141673b18a955735581eae18fda38d21349156 | |
| parent | c46afc87ad605936ebcb6c03d3f309f818fd6f09 (diff) | |
| download | libplist-8487d23fd2ab5683d631fd41e5f6a2f5a44d867a.tar.gz libplist-8487d23fd2ab5683d631fd41e5f6a2f5a44d867a.tar.bz2 | |
Prevent OOB access in plist_from_memory
Credit to OSS-Fuzz
| -rw-r--r-- | src/plist.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/plist.c b/src/plist.c index 2f4990c..e8f6974 100644 --- a/src/plist.c +++ b/src/plist.c @@ -222,6 +222,9 @@ plist_err_t plist_from_memory(const char *plist_data, uint32_t length, plist_t * int is_xml = 0; /* skip whitespace */ SKIP_WS(plist_data, pos, length); + if (pos >= length) { + return PLIST_ERR_PARSE; + } if (plist_data[pos] == '<' && (length-pos > 3) && !isxdigit(plist_data[pos+1]) && !isxdigit(plist_data[pos+2]) && !isxdigit(plist_data[pos+3])) { is_xml = 1; } else if (plist_data[pos] == '[') { @@ -233,19 +236,28 @@ plist_err_t plist_from_memory(const char *plist_data, uint32_t length, plist_t * /* this could be json or openstep */ pos++; SKIP_WS(plist_data, pos, length); + if (pos >= length) { + return PLIST_ERR_PARSE; + } if (plist_data[pos] == '"') { /* still could be both */ pos++; - do { + while (pos < length) { FIND_NEXT(plist_data, pos, length, '"'); if (plist_data[pos-1] != '\\') { break; } pos++; - } while (pos < length); + } + if (pos >= length) { + return PLIST_ERR_PARSE; + } if (plist_data[pos] == '"') { pos++; SKIP_WS(plist_data, pos, length); + if (pos >= length) { + return PLIST_ERR_PARSE; + } if (plist_data[pos] == ':') { /* this is definitely json */ is_json = 1; |