diff options
| author |  Nikias Bassen | 2023-01-09 19:07:54 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2023-01-09 19:07:54 +0100 |
| commit | 5bdbd3fe620e66a65373524a0707909ca926a3a1 (patch) | |
| tree | 5e429417afcc2720af40c102b9c3dfea7ece8738 | |
| parent | 62b03b85a56a7b98e6eef237deeff1a8b41f8fb8 (diff) | |
| download | libplist-5bdbd3fe620e66a65373524a0707909ca926a3a1.tar.gz libplist-5bdbd3fe620e66a65373524a0707909ca926a3a1.tar.bz2 | |
oplist: Fix OOB read by checking bounds properly
Credit to OSS-Fuzz
| -rw-r--r-- | src/oplist.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/oplist.c b/src/oplist.c index df12fb3..21d8a64 100644 --- a/src/oplist.c +++ b/src/oplist.c @@ -550,7 +550,7 @@ static void parse_dict_data(parse_ctx ctx, plist_t dict) if (ctx->pos >= ctx->end) { PLIST_OSTEP_ERR("EOF while parsing dictionary item at offset %ld\n", ctx->pos - ctx->start); ctx->err++; - break; + break; } val = NULL; ctx->err = node_from_openstep(ctx, &val); @@ -710,6 +710,11 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist) } ctx->pos++; } + if (ctx->pos >= ctx->end) { + PLIST_OSTEP_ERR("EOF while parsing quoted string at offset %ld\n", ctx->pos - ctx->start); + ctx->err++; + goto err_out; + } if (*ctx->pos != c) { plist_free_data(data); PLIST_OSTEP_ERR("Missing closing quote (%c) at offset %ld\n", c, ctx->pos - ctx->start); |