From 15164ebe870590376b2286b09dc97890a07dd373 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Mon, 8 Dec 2025 02:03:27 +0100
Subject: bplist: Fix offset_table range check

Credit to OSS-Fuzz
---
 src/bplist.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'src/bplist.c')

diff --git a/src/bplist.c b/src/bplist.c
index 08fca87..b2d0e7c 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -876,7 +876,14 @@ plist_err_t plist_from_bin(const char *plist_bin, uint32_t length, plist_t * pli
     ref_size = trailer->ref_size;
     num_objects = be64toh(trailer->num_objects);
     root_object = be64toh(trailer->root_object_index);
-    offset_table = (char *)(plist_bin + be64toh(trailer->offset_table_offset));
+
+    uint64_t offset_table_offset = be64toh(trailer->offset_table_offset);
+    uint64_t max_valid_offset = (uint64_t)length - sizeof(bplist_trailer_t);
+    if (offset_table_offset > max_valid_offset) {
+        PLIST_BIN_ERR("offset table offset outside of valid range\n");
+        return PLIST_ERR_PARSE;
+    }
+    offset_table = (char *)(plist_bin + offset_table_offset);
 
     if (num_objects == 0) {
         PLIST_BIN_ERR("number of objects must be larger than 0\n");
-- 
cgit v1.1-32-gdbae