bplist: Fix possible out-of-bounds read in parse_dict_node() with proper bounds checking

1 files changed, 13 insertions, 2 deletions

diff --git a/src/bplist.c b/src/bplist.c
index 78b8255..8cafb6a 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -402,6 +402,9 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u
     uint64_t str_i = 0, str_j = 0;
     uint64_t index1, index2;
     plist_data_t data = plist_new_plist_data();
+    const char *const end_data = bplist->data + bplist->size;
+    const char *index1_ptr = NULL;
+    const char *index2_ptr = NULL;
 
     data->type = PLIST_DICT;
     data->length = size;
@@ -411,9 +414,17 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u
     for (j = 0; j < data->length; j++) {
         str_i = j * bplist->dict_size;
         str_j = (j + size) * bplist->dict_size;
+        index1_ptr = (*bnode) + str_i;
+        index2_ptr = (*bnode) + str_j;
 
-        index1 = UINT_TO_HOST((*bnode) + str_i, bplist->dict_size);
-        index2 = UINT_TO_HOST((*bnode) + str_j, bplist->dict_size);
+        if ((index1_ptr < bplist->data || index1_ptr + bplist->dict_size >= end_data) ||
+            (index2_ptr < bplist->data || index2_ptr + bplist->dict_size >= end_data)) {
+            plist_free(node);
+            return NULL;
+        }
+
+        index1 = UINT_TO_HOST(index1_ptr, bplist->dict_size);
+        index2 = UINT_TO_HOST(index2_ptr, bplist->dict_size);
 
         if (index1 >= bplist->num_objects) {
             plist_free(node);