summaryrefslogtreecommitdiffstats
path: root/fuzz/bplist-crashes/clusterfuzz-testcase-4930725262393344
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2017-02-04 02:51:03 +0100
committerGravatar Nikias Bassen2017-02-04 02:51:03 +0100
commitc4dcf11b533b1b604216edb295e4f50a6085650f (patch)
treee2c30b92f152d9cd9cf559b46198711d77aa0ce6 /fuzz/bplist-crashes/clusterfuzz-testcase-4930725262393344
parentfc047e6de9d7afa3b168fd2c4d1d0884788e7086 (diff)
downloadlibplist-c4dcf11b533b1b604216edb295e4f50a6085650f.tar.gz
libplist-c4dcf11b533b1b604216edb295e4f50a6085650f.tar.bz2
bplist: Fix OOB write on heap buffer and improve recursion check
Issue #92 pointed out an problem with (invalid) bplist files which have exactly one structured node whose subnode reference itself. The recursion check used a fixed size array with the size of the total number of objects. In this case the number of objects is 1 but the recursion check code wanted to set the node_index for the level 1 which leads to an OOB write on the heap. This commit fixes/improves two things: 1) Prevent OOB write by using a dynamic data storage for the used node indexes (plist_t of type PLIST_ARRAY) 2) Reduces the memory usage of large binary plists, because not the total number of nodes in the binary plist, but the number of recursion levels is important for the recursion check.
Diffstat (limited to 'fuzz/bplist-crashes/clusterfuzz-testcase-4930725262393344')
0 files changed, 0 insertions, 0 deletions