diff options
| author |  Nikias Bassen | 2025-12-08 02:03:27 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2025-12-08 02:03:27 +0100 |
| commit | 15164ebe870590376b2286b09dc97890a07dd373 (patch) | |
| tree | 22b75304e7d19eff3f22bc23edb4471b2d86dc1d | |
| parent | b32b370d8d44fa7cc9d3478b9e19f3abaa43d3c2 (diff) | |
| download | libplist-15164ebe870590376b2286b09dc97890a07dd373.tar.gz libplist-15164ebe870590376b2286b09dc97890a07dd373.tar.bz2 | |
bplist: Fix offset_table range check
Credit to OSS-Fuzz
| -rw-r--r-- | src/bplist.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/bplist.c b/src/bplist.c index 08fca87..b2d0e7c 100644 --- a/src/bplist.c +++ b/src/bplist.c | |||
| @@ -876,7 +876,14 @@ plist_err_t plist_from_bin(const char *plist_bin, uint32_t length, plist_t * pli | |||
| 876 | ref_size = trailer->ref_size; | 876 | ref_size = trailer->ref_size; |
| 877 | num_objects = be64toh(trailer->num_objects); | 877 | num_objects = be64toh(trailer->num_objects); |
| 878 | root_object = be64toh(trailer->root_object_index); | 878 | root_object = be64toh(trailer->root_object_index); |
| 879 | offset_table = (char *)(plist_bin + be64toh(trailer->offset_table_offset)); | 879 | |
| 880 | uint64_t offset_table_offset = be64toh(trailer->offset_table_offset); | ||
| 881 | uint64_t max_valid_offset = (uint64_t)length - sizeof(bplist_trailer_t); | ||
| 882 | if (offset_table_offset > max_valid_offset) { | ||
| 883 | PLIST_BIN_ERR("offset table offset outside of valid range\n"); | ||
| 884 | return PLIST_ERR_PARSE; | ||
| 885 | } | ||
| 886 | offset_table = (char *)(plist_bin + offset_table_offset); | ||
| 880 | 887 | ||
| 881 | if (num_objects == 0) { | 888 | if (num_objects == 0) { |
| 882 | PLIST_BIN_ERR("number of objects must be larger than 0\n"); | 889 | PLIST_BIN_ERR("number of objects must be larger than 0\n"); |