diff options
| author |  Nikias Bassen | 2023-12-12 10:48:41 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2023-12-12 10:48:41 +0100 |
| commit | 8487d23fd2ab5683d631fd41e5f6a2f5a44d867a (patch) | |
| tree | 49141673b18a955735581eae18fda38d21349156 | |
| parent | c46afc87ad605936ebcb6c03d3f309f818fd6f09 (diff) | |
| download | libplist-8487d23fd2ab5683d631fd41e5f6a2f5a44d867a.tar.gz libplist-8487d23fd2ab5683d631fd41e5f6a2f5a44d867a.tar.bz2 | |
Prevent OOB access in plist_from_memory
Credit to OSS-Fuzz
| -rw-r--r-- | src/plist.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/src/plist.c b/src/plist.c index 2f4990c..e8f6974 100644 --- a/src/plist.c +++ b/src/plist.c | |||
| @@ -222,6 +222,9 @@ plist_err_t plist_from_memory(const char *plist_data, uint32_t length, plist_t * | |||
| 222 | int is_xml = 0; | 222 | int is_xml = 0; |
| 223 | /* skip whitespace */ | 223 | /* skip whitespace */ |
| 224 | SKIP_WS(plist_data, pos, length); | 224 | SKIP_WS(plist_data, pos, length); |
| 225 | if (pos >= length) { | ||
| 226 | return PLIST_ERR_PARSE; | ||
| 227 | } | ||
| 225 | if (plist_data[pos] == '<' && (length-pos > 3) && !isxdigit(plist_data[pos+1]) && !isxdigit(plist_data[pos+2]) && !isxdigit(plist_data[pos+3])) { | 228 | if (plist_data[pos] == '<' && (length-pos > 3) && !isxdigit(plist_data[pos+1]) && !isxdigit(plist_data[pos+2]) && !isxdigit(plist_data[pos+3])) { |
| 226 | is_xml = 1; | 229 | is_xml = 1; |
| 227 | } else if (plist_data[pos] == '[') { | 230 | } else if (plist_data[pos] == '[') { |
| @@ -233,19 +236,28 @@ plist_err_t plist_from_memory(const char *plist_data, uint32_t length, plist_t * | |||
| 233 | /* this could be json or openstep */ | 236 | /* this could be json or openstep */ |
| 234 | pos++; | 237 | pos++; |
| 235 | SKIP_WS(plist_data, pos, length); | 238 | SKIP_WS(plist_data, pos, length); |
| 239 | if (pos >= length) { | ||
| 240 | return PLIST_ERR_PARSE; | ||
| 241 | } | ||
| 236 | if (plist_data[pos] == '"') { | 242 | if (plist_data[pos] == '"') { |
| 237 | /* still could be both */ | 243 | /* still could be both */ |
| 238 | pos++; | 244 | pos++; |
| 239 | do { | 245 | while (pos < length) { |
| 240 | FIND_NEXT(plist_data, pos, length, '"'); | 246 | FIND_NEXT(plist_data, pos, length, '"'); |
| 241 | if (plist_data[pos-1] != '\\') { | 247 | if (plist_data[pos-1] != '\\') { |
| 242 | break; | 248 | break; |
| 243 | } | 249 | } |
| 244 | pos++; | 250 | pos++; |
| 245 | } while (pos < length); | 251 | } |
| 252 | if (pos >= length) { | ||
| 253 | return PLIST_ERR_PARSE; | ||
| 254 | } | ||
| 246 | if (plist_data[pos] == '"') { | 255 | if (plist_data[pos] == '"') { |
| 247 | pos++; | 256 | pos++; |
| 248 | SKIP_WS(plist_data, pos, length); | 257 | SKIP_WS(plist_data, pos, length); |
| 258 | if (pos >= length) { | ||
| 259 | return PLIST_ERR_PARSE; | ||
| 260 | } | ||
| 249 | if (plist_data[pos] == ':') { | 261 | if (plist_data[pos] == ':') { |
| 250 | /* this is definitely json */ | 262 | /* this is definitely json */ |
| 251 | is_json = 1; | 263 | is_json = 1; |