diff options
| author | 2017-02-04 02:51:03 +0100 | |
|---|---|---|
| committer | 2017-02-04 02:51:03 +0100 | |
| commit | c4dcf11b533b1b604216edb295e4f50a6085650f (patch) | |
| tree | e2c30b92f152d9cd9cf559b46198711d77aa0ce6 /fuzz | |
| parent | fc047e6de9d7afa3b168fd2c4d1d0884788e7086 (diff) | |
| download | libplist-c4dcf11b533b1b604216edb295e4f50a6085650f.tar.gz libplist-c4dcf11b533b1b604216edb295e4f50a6085650f.tar.bz2 | |
bplist: Fix OOB write on heap buffer and improve recursion check
Issue #92 pointed out an problem with (invalid) bplist files which have
exactly one structured node whose subnode reference itself.
The recursion check used a fixed size array with the size of the total number
of objects. In this case the number of objects is 1 but the recursion check
code wanted to set the node_index for the level 1 which leads to an OOB write
on the heap. This commit fixes/improves two things:
1) Prevent OOB write by using a dynamic data storage for the used node
   indexes (plist_t of type PLIST_ARRAY)
2) Reduces the memory usage of large binary plists, because not the total
   number of nodes in the binary plist, but the number of recursion levels
   is important for the recursion check.
Diffstat (limited to 'fuzz')
0 files changed, 0 insertions, 0 deletions
