From a4563ffeaa0448712c739fc91526e8f210c1e164 Mon Sep 17 00:00:00 2001
From: Filippo Bigarella
Date: Thu, 10 Nov 2016 00:54:05 +0100
Subject: bplist: Fix possible out-of-bounds read in parse_dict_node() with
 proper bounds checking

---
 src/bplist.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/bplist.c')

diff --git a/src/bplist.c b/src/bplist.c
index 78b8255..8cafb6a 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -402,6 +402,9 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u
     uint64_t str_i = 0, str_j = 0;
     uint64_t index1, index2;
     plist_data_t data = plist_new_plist_data();
+    const char *const end_data = bplist->data + bplist->size;
+    const char *index1_ptr = NULL;
+    const char *index2_ptr = NULL;
 
     data->type = PLIST_DICT;
     data->length = size;
@@ -411,9 +414,17 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u
     for (j = 0; j < data->length; j++) {
         str_i = j * bplist->dict_size;
         str_j = (j + size) * bplist->dict_size;
+        index1_ptr = (*bnode) + str_i;
+        index2_ptr = (*bnode) + str_j;
 
-        index1 = UINT_TO_HOST((*bnode) + str_i, bplist->dict_size);
-        index2 = UINT_TO_HOST((*bnode) + str_j, bplist->dict_size);
+        if ((index1_ptr < bplist->data || index1_ptr + bplist->dict_size >= end_data) ||
+            (index2_ptr < bplist->data || index2_ptr + bplist->dict_size >= end_data)) {
+            plist_free(node);
+            return NULL;
+        }
+
+        index1 = UINT_TO_HOST(index1_ptr, bplist->dict_size);
+        index2 = UINT_TO_HOST(index2_ptr, bplist->dict_size);
 
         if (index1 >= bplist->num_objects) {
             plist_free(node);
-- 
cgit v1.1-32-gdbae