diff options
| author |  Nikias Bassen | 2017-02-07 03:03:15 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2017-02-07 03:03:15 +0100 |
| commit | e4dc36f18a3ba06183168111052b7b4e213c740b (patch) | |
| tree | fe50c564f3e87ddf101fb0e06daac8401d60b151 | |
| parent | ca33a2b7aebf7cadd480a80d1eb2284406061b08 (diff) | |
| download | libplist-e4dc36f18a3ba06183168111052b7b4e213c740b.tar.gz libplist-e4dc36f18a3ba06183168111052b7b4e213c740b.tar.bz2 | |
xplist: Prevent OOB read in two more cases
| -rw-r--r-- | src/xplist.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/xplist.c b/src/xplist.c index 7cee6de..d157200 100644 --- a/src/xplist.c +++ b/src/xplist.c @@ -546,6 +546,11 @@ static text_part_t* get_text_parts(parse_ctx ctx, const char* tag, size_t tag_le } if (*ctx->pos == '!') { ctx->pos++; + if (ctx->pos >= ctx->end-1) { + PLIST_XML_ERR("EOF while parsing <! special tag\n"); + ctx->err++; + return NULL; + } if (*ctx->pos == '-' && *(ctx->pos+1) == '-') { if (last) { last = text_part_append(last, p, q-p, 0); @@ -844,6 +849,11 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist, uint32_t depth) ctx->pos+=8; while (ctx->pos < ctx->end) { find_next(ctx, " \t\r\n[>", 6, 1); + if (ctx->pos >= ctx->end) { + PLIST_XML_ERR("EOF while parsing !DOCTYPE\n"); + ctx->err++; + goto err_out; + } if (*ctx->pos == '[') { embedded_dtd = 1; break; |