diff options
| author |  Nikias Bassen | 2017-02-03 23:33:07 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2017-02-03 23:33:07 +0100 |
| commit | fc047e6de9d7afa3b168fd2c4d1d0884788e7086 (patch) | |
| tree | 029ca9f6a612affb2d8cea38b19176384ca59317 /src | |
| parent | 3ca4f0aeecfee240bfb37706dc37afe623d00512 (diff) | |
| download | libplist-fc047e6de9d7afa3b168fd2c4d1d0884788e7086.tar.gz libplist-fc047e6de9d7afa3b168fd2c4d1d0884788e7086.tar.bz2 | |
bplist: Prevent OOB read when parsing data/string/array/dict size nodes
As reported in #91, the code that will read the big endian integer value
of variable size did not check if the actual number of bytes is still
withing the range of the actual plist data.
This commit fixes the issue with proper bounds checking.
Diffstat (limited to 'src')
| -rw-r--r-- | src/bplist.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c index 1a40556..0cfe5fe 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -530,6 +530,8 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) return NULL; (*object)++; next_size = 1 << next_size; + if (*object + next_size >= bplist->data + bplist->size) + return NULL; size = UINT_TO_HOST(*object, next_size); (*object) += next_size; break; |