1 |
From fc047e6de9d7afa3b168fd2c4d1d0884788e7086 Mon Sep 17 00:00:00 2001 |
2 |
From: Nikias Bassen <nikias@gmx.li> |
3 |
Date: Fri, 3 Feb 2017 23:33:07 +0100 |
4 |
Subject: [PATCH] bplist: Prevent OOB read when parsing data/string/array/dict |
5 |
size nodes |
6 |
|
7 |
As reported in #91, the code that will read the big endian integer value |
8 |
of variable size did not check if the actual number of bytes is still |
9 |
withing the range of the actual plist data. |
10 |
This commit fixes the issue with proper bounds checking. |
11 |
--- |
12 |
src/bplist.c | 2 ++ |
13 |
1 file changed, 2 insertions(+) |
14 |
|
15 |
diff --git a/src/bplist.c b/src/bplist.c |
16 |
index 1a40556..0cfe5fe 100644 |
17 |
--- a/src/bplist.c |
18 |
+++ b/src/bplist.c |
19 |
@@ -530,6 +530,8 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) |
20 |
return NULL; |
21 |
(*object)++; |
22 |
next_size = 1 << next_size; |
23 |
+ if (*object + next_size >= bplist->data + bplist->size) |
24 |
+ return NULL; |
25 |
size = UINT_TO_HOST(*object, next_size); |
26 |
(*object) += next_size; |
27 |
break; |