bplist: Add overflow check to node offset pointer arithmetic

Credit to OSSFuzz
author: Nikias Bassen 2026-02-12 02:43:50 +0100
committer: Nikias Bassen 2026-02-12 02:43:50 +0100
commit: 9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e (patch)
tree: cad46eb503d50655946b77e38433ce76b9f9563d /src/bplist.c
parent: c4763002d20e845b566edbe499ada85b03d38dc2 (diff)
download: libplist-9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e.tar.gz
libplist-9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e.tar.bz2
1 files changed, 7 insertions, 1 deletions
diff --git a/src/bplist.c b/src/bplist.c
index 308b787..1187c7a 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -852,7 +852,13 @@ static plist_t parse_bin_node_at_index(struct bplist_data *bplist, uint32_t node
        return NULL;
    }
-    ptr = bplist->data + UINT_TO_HOST(idx_ptr, bplist->offset_size);
+    uint64_t node_offset = UINT_TO_HOST(idx_ptr, bplist->offset_size);
+    if (node_offset > (uint64_t)bplist->size) {
+        PLIST_BIN_ERR("node offset overflow (%llu)\n", node_offset);
+        bplist->err = PLIST_ERR_PARSE;
+        return NULL;
+    }
+    ptr = bplist->data + node_offset;
    /* make sure the node offset is in a sane range */
    if ((ptr < bplist->data+BPLIST_MAGIC_SIZE+BPLIST_VERSION_SIZE) || (ptr >= bplist->offset_table)) {
        PLIST_BIN_ERR("offset for node index %u points outside of valid range\n", node_index);
author	Nikias Bassen	2026-02-12 02:43:50 +0100
committer	Nikias Bassen	2026-02-12 02:43:50 +0100
commit	9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e (patch)
tree	cad46eb503d50655946b77e38433ce76b9f9563d /src/bplist.c
parent	c4763002d20e845b566edbe499ada85b03d38dc2 (diff)
download	libplist-9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e.tar.gz libplist-9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e.tar.bz2