/[packages]/updates/5/libplist/current/SOURCES/0020-Prevent-OOB-read-when-parsing-data-string-array-dict-size-nodes.patch
ViewVC logotype

Contents of /updates/5/libplist/current/SOURCES/0020-Prevent-OOB-read-when-parsing-data-string-array-dict-size-nodes.patch

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1186922 - (show annotations) (download)
Fri Dec 29 04:22:08 2017 UTC (6 years, 3 months ago) by luigiwalser
File size: 1053 byte(s) 
- 1.12
- library major is now 3
- add patches from opensuse to fix several security issues (mga#20232)
1 From fc047e6de9d7afa3b168fd2c4d1d0884788e7086 Mon Sep 17 00:00:00 2001
2 From: Nikias Bassen <nikias@gmx.li>
3 Date: Fri, 3 Feb 2017 23:33:07 +0100
4 Subject: [PATCH] bplist: Prevent OOB read when parsing data/string/array/dict
5 size nodes
6
7 As reported in #91, the code that will read the big endian integer value
8 of variable size did not check if the actual number of bytes is still
9 withing the range of the actual plist data.
10 This commit fixes the issue with proper bounds checking.
11 ---
12 src/bplist.c | 2 ++
13 1 file changed, 2 insertions(+)
14
15 diff --git a/src/bplist.c b/src/bplist.c
16 index 1a40556..0cfe5fe 100644
17 --- a/src/bplist.c
18 +++ b/src/bplist.c
19 @@ -530,6 +530,8 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object)
20 return NULL;
21 (*object)++;
22 next_size = 1 << next_size;
23 + if (*object + next_size >= bplist->data + bplist->size)
24 + return NULL;
25 size = UINT_TO_HOST(*object, next_size);
26 (*object) += next_size;
27 break;
  ViewVC Help
Powered by ViewVC 1.1.30