oplist: Fix another OOB read

Credit to OSS-Fuzz
author: Nikias Bassen 2023-01-17 01:26:58 +0100
committer: Nikias Bassen 2023-01-17 01:26:58 +0100
commit: 85f5cbd3705b34fcc52009ca51d8167ab18764fa (patch)
tree: 17184b2653fbedb291101b40f8593a8aa94d32b2
parent: f31ab3835bb4bf8e574e9920ef9f17359163cbd3 (diff)
download: libplist-85f5cbd3705b34fcc52009ca51d8167ab18764fa.tar.gz
libplist-85f5cbd3705b34fcc52009ca51d8167ab18764fa.tar.bz2
2 files changed, 8 insertions, 0 deletions
diff --git a/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264 b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
new file mode 100644
index 0000000..2fa08dc
--- /dev/null
+++ b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
@@ -0,0 +1 @@
+(<
+\ No newline at end of file
diff --git a/src/oplist.c b/src/oplist.c
index 8936cce..4dd0df5 100644
--- a/src/oplist.c
+++ b/src/oplist.c
@@ -715,6 +715,13 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist)
                plist_free_data(data);
                goto err_out;
            }
+            if (ctx->pos >= ctx->end) {
+                byte_array_free(bytes);
+                plist_free_data(data);
+                PLIST_OSTEP_ERR("EOF while parsing data terminator '>' at offset %ld\n", ctx->pos - ctx->start);
+                ctx->err++;
+                goto err_out;
+            }
            if (*ctx->pos != '>') {
                byte_array_free(bytes);
                plist_free_data(data);
author	Nikias Bassen	2023-01-17 01:26:58 +0100
committer	Nikias Bassen	2023-01-17 01:26:58 +0100
commit	85f5cbd3705b34fcc52009ca51d8167ab18764fa (patch)
tree	17184b2653fbedb291101b40f8593a8aa94d32b2
parent	f31ab3835bb4bf8e574e9920ef9f17359163cbd3 (diff)
download	libplist-85f5cbd3705b34fcc52009ca51d8167ab18764fa.tar.gz libplist-85f5cbd3705b34fcc52009ca51d8167ab18764fa.tar.bz2

diff --git a/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264 b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264 new file mode 100644 index 0000000..2fa08dc --- /dev/null +++ b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
@@ -0,0 +1 @@
			(< \ No newline at end of file


diff --git a/src/oplist.c b/src/oplist.c index 8936cce..4dd0df5 100644 --- a/src/oplist.c +++ b/src/oplist.c
@@ -715,6 +715,13 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist)
715	plist_free_data(data);	715	plist_free_data(data);
716	goto err_out;	716	goto err_out;
717	}	717	}
		718	if (ctx->pos >= ctx->end) {
		719	byte_array_free(bytes);
		720	plist_free_data(data);
		721	PLIST_OSTEP_ERR("EOF while parsing data terminator '>' at offset %ld\n", ctx->pos - ctx->start);
		722	ctx->err++;
		723	goto err_out;
		724	}
718	if (*ctx->pos != '>') {	725	if (*ctx->pos != '>') {
719	byte_array_free(bytes);	726	byte_array_free(bytes);
720	plist_free_data(data);	727	plist_free_data(data);