diff options
| author |  Filippo Bigarella | 2016-11-10 01:12:42 +0100 |
|---|---|---|
| committer |  Nikias Bassen | 2016-11-10 01:12:42 +0100 |
| commit | b86a392b819518cf37db78140d4ed4418c0177da (patch) | |
| tree | 6d717d81d6e7982b730f91ce0663f2525e52fa79 /src/bplist.c | |
| parent | a4563ffeaa0448712c739fc91526e8f210c1e164 (diff) | |
| download | libplist-b86a392b819518cf37db78140d4ed4418c0177da.tar.gz libplist-b86a392b819518cf37db78140d4ed4418c0177da.tar.bz2 | |
bplist: Fix possible out-of-bounds reads in parse_bin_node() with proper bounds checking
Diffstat (limited to 'src/bplist.c')
| -rw-r--r-- | src/bplist.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c index 8cafb6a..dad72a6 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -568,15 +568,21 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) } case BPLIST_UINT: + if (*object - bplist->data + (uint64_t)(1 << size) >= bplist->size) + return NULL; return parse_uint_node(object, size); case BPLIST_REAL: + if (*object - bplist->data + (uint64_t)(1 << size) >= bplist->size) + return NULL; return parse_real_node(object, size); case BPLIST_DATE: if (3 != size) return NULL; else + if (*object - bplist->data + (uint64_t)(1 << size) >= bplist->size) + return NULL; return parse_date_node(object, size); case BPLIST_DATA: @@ -587,6 +593,9 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) plist_get_uint_val(size_node, &size); plist_free(size_node); } + + if (*object - bplist->data + size >= bplist->size) + return NULL; return parse_data_node(object, size); case BPLIST_STRING: @@ -597,6 +606,9 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) plist_get_uint_val(size_node, &size); plist_free(size_node); } + + if (*object - bplist->data + size >= bplist->size) + return NULL; return parse_string_node(object, size); case BPLIST_UNICODE: @@ -607,6 +619,9 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) plist_get_uint_val(size_node, &size); plist_free(size_node); } + + if (*object - bplist->data + size * 2 >= bplist->size) + return NULL; return parse_unicode_node(object, size); case BPLIST_SET: @@ -618,6 +633,9 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) plist_get_uint_val(size_node, &size); plist_free(size_node); } + + if (*object - bplist->data + size >= bplist->size) + return NULL; return parse_array_node(bplist, object, size); case BPLIST_UID: @@ -631,6 +649,9 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) plist_get_uint_val(size_node, &size); plist_free(size_node); } + + if (*object - bplist->data + size >= bplist->size) + return NULL; return parse_dict_node(bplist, object, size); default: return NULL; |