summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2017-02-09 14:50:48 +0100
committerGravatar Nikias Bassen2017-02-09 14:50:48 +0100
commitb1be1e99dd1f489720e83d018bcbdb91fb1e87e5 (patch)
treefcf66358aeb7826b273ca8c52576b6e910c4fa63
parent47d02dde60b4c709d579aa22187ac55524485b97 (diff)
downloadlibplist-b1be1e99dd1f489720e83d018bcbdb91fb1e87e5.tar.gz
libplist-b1be1e99dd1f489720e83d018bcbdb91fb1e87e5.tar.bz2
bplist: Make sure to detect integer overflow when handling unicode node size
Credit to OSS-Fuzz
-rw-r--r--src/bplist.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c
index bf8d985..da7bb63 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -668,6 +668,10 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object)
668 return parse_string_node(object, size); 668 return parse_string_node(object, size);
669 669
670 case BPLIST_UNICODE: 670 case BPLIST_UNICODE:
671 if (size*2 < size) {
672 PLIST_BIN_ERR("%s: Integer overflow when calculating BPLIST_UNICODE data size.\n", __func__);
673 return NULL;
674 }
671 if (*object + size*2 > bplist->offset_table) { 675 if (*object + size*2 > bplist->offset_table) {
672 PLIST_BIN_ERR("%s: BPLIST_UNICODE data bytes point outside of valid range\n", __func__); 676 PLIST_BIN_ERR("%s: BPLIST_UNICODE data bytes point outside of valid range\n", __func__);
673 return NULL; 677 return NULL;