From 85f5cbd3705b34fcc52009ca51d8167ab18764fa Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Tue, 17 Jan 2023 01:26:58 +0100
Subject: oplist: Fix another OOB read

Credit to OSS-Fuzz
---
 .../clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264  | 1 +
 src/oplist.c                                                       | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264

diff --git a/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264 b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
new file mode 100644
index 0000000..2fa08dc
--- /dev/null
+++ b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
@@ -0,0 +1 @@
+(<
\ No newline at end of file
diff --git a/src/oplist.c b/src/oplist.c
index 8936cce..4dd0df5 100644
--- a/src/oplist.c
+++ b/src/oplist.c
@@ -715,6 +715,13 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist)
                 plist_free_data(data);
                 goto err_out;
             }
+            if (ctx->pos >= ctx->end) {
+                byte_array_free(bytes);
+                plist_free_data(data);
+                PLIST_OSTEP_ERR("EOF while parsing data terminator '>' at offset %ld\n", ctx->pos - ctx->start);
+                ctx->err++;
+                goto err_out;
+            }
             if (*ctx->pos != '>') {
                 byte_array_free(bytes);
                 plist_free_data(data);
-- 
cgit v1.1-32-gdbae