diff options
author | Filippo Bigarella | 2016-11-10 01:24:29 +0100 |
---|---|---|
committer | Nikias Bassen | 2016-11-10 01:24:29 +0100 |
commit | 1ae55728f427532234be85a90322e4a3c77b4074 (patch) | |
tree | 55dfe72ec6ea98b2eb7a7a9e8c12ebbe03cbe7ab /src/bplist.c | |
parent | b86a392b819518cf37db78140d4ed4418c0177da (diff) | |
download | libplist-1ae55728f427532234be85a90322e4a3c77b4074.tar.gz libplist-1ae55728f427532234be85a90322e4a3c77b4074.tar.bz2 |
bplist: Make sure the index in parse_bin_node_at_index() is actually within the offset table
Diffstat (limited to 'src/bplist.c')
-rw-r--r-- | src/bplist.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/bplist.c b/src/bplist.c index dad72a6..8447187 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -661,11 +661,20 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) static plist_t parse_bin_node_at_index(struct bplist_data *bplist, uint32_t node_index) { - int i; - const char* ptr; - plist_t plist; + int i = 0; + const char* ptr = NULL; + plist_t plist = NULL; + const char* idx_ptr = NULL; - ptr = bplist->data + UINT_TO_HOST(bplist->offset_table + node_index * bplist->offset_size, bplist->offset_size); + if (node_index > bplist->num_objects) + return NULL; + + idx_ptr = bplist->offset_table + node_index * bplist->offset_size; + if (idx_ptr < bplist->offset_table || + idx_ptr >= bplist->offset_table + bplist->num_objects * bplist->offset_size) + return NULL; + + ptr = bplist->data + UINT_TO_HOST(idx_ptr, bplist->offset_size); /* make sure the node offset is in a sane range */ if ((ptr < bplist->data) || (ptr >= bplist->offset_table)) { return NULL; |