diff options
| author | 2017-02-09 14:50:48 +0100 | |
|---|---|---|
| committer | 2017-02-09 14:50:48 +0100 | |
| commit | b1be1e99dd1f489720e83d018bcbdb91fb1e87e5 (patch) | |
| tree | fcf66358aeb7826b273ca8c52576b6e910c4fa63 | |
| parent | 47d02dde60b4c709d579aa22187ac55524485b97 (diff) | |
| download | libplist-b1be1e99dd1f489720e83d018bcbdb91fb1e87e5.tar.gz libplist-b1be1e99dd1f489720e83d018bcbdb91fb1e87e5.tar.bz2 | |
bplist: Make sure to detect integer overflow when handling unicode node size
Credit to OSS-Fuzz
| -rw-r--r-- | src/bplist.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c index bf8d985..da7bb63 100644 --- a/src/bplist.c +++ b/src/bplist.c | |||
| @@ -668,6 +668,10 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object) | |||
| 668 | return parse_string_node(object, size); | 668 | return parse_string_node(object, size); |
| 669 | 669 | ||
| 670 | case BPLIST_UNICODE: | 670 | case BPLIST_UNICODE: |
| 671 | if (size*2 < size) { | ||
| 672 | PLIST_BIN_ERR("%s: Integer overflow when calculating BPLIST_UNICODE data size.\n", __func__); | ||
| 673 | return NULL; | ||
| 674 | } | ||
| 671 | if (*object + size*2 > bplist->offset_table) { | 675 | if (*object + size*2 > bplist->offset_table) { |
| 672 | PLIST_BIN_ERR("%s: BPLIST_UNICODE data bytes point outside of valid range\n", __func__); | 676 | PLIST_BIN_ERR("%s: BPLIST_UNICODE data bytes point outside of valid range\n", __func__); |
| 673 | return NULL; | 677 | return NULL; |
