diff options
| author |  Nikias Bassen | 2023-01-09 19:32:21 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2023-01-09 19:32:21 +0100 |
| commit | 79f58e9355e9bddd44e77f0d7f69dd96cce38cc6 (patch) | |
| tree | 0eb741ef1c721c190f8535314b0e3ba50fe6abf9 /src | |
| parent | 5bdbd3fe620e66a65373524a0707909ca926a3a1 (diff) | |
| download | libplist-79f58e9355e9bddd44e77f0d7f69dd96cce38cc6.tar.gz libplist-79f58e9355e9bddd44e77f0d7f69dd96cce38cc6.tar.bz2 | |
oplist: Add more bound checks to prevent OOB reads
Diffstat (limited to 'src')
| -rw-r--r-- | src/oplist.c | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/src/oplist.c b/src/oplist.c index 21d8a64..deb54de 100644 --- a/src/oplist.c +++ b/src/oplist.c | |||
| @@ -527,7 +527,7 @@ static void parse_dict_data(parse_ctx ctx, plist_t dict) | |||
| 527 | plist_t val = NULL; | 527 | plist_t val = NULL; |
| 528 | while (ctx->pos < ctx->end && !ctx->err) { | 528 | while (ctx->pos < ctx->end && !ctx->err) { |
| 529 | parse_skip_ws(ctx); | 529 | parse_skip_ws(ctx); |
| 530 | if (*ctx->pos == '}' || ctx->pos >= ctx->end) { | 530 | if (ctx->pos >= ctx->end || *ctx->pos == '}') { |
| 531 | break; | 531 | break; |
| 532 | } | 532 | } |
| 533 | key = NULL; | 533 | key = NULL; |
| @@ -541,6 +541,11 @@ static void parse_dict_data(parse_ctx ctx, plist_t dict) | |||
| 541 | break; | 541 | break; |
| 542 | } | 542 | } |
| 543 | parse_skip_ws(ctx); | 543 | parse_skip_ws(ctx); |
| 544 | if (ctx->pos >= ctx->end) { | ||
| 545 | PLIST_OSTEP_ERR("EOF while parsing dictionary '=' delimiter at offset %ld\n", ctx->pos - ctx->start); | ||
| 546 | ctx->err++; | ||
| 547 | break; | ||
| 548 | } | ||
| 544 | if (*ctx->pos != '=') { | 549 | if (*ctx->pos != '=') { |
| 545 | PLIST_OSTEP_ERR("Missing '=' while parsing dictionary item at offset %ld\n", ctx->pos - ctx->start); | 550 | PLIST_OSTEP_ERR("Missing '=' while parsing dictionary item at offset %ld\n", ctx->pos - ctx->start); |
| 546 | ctx->err++; | 551 | ctx->err++; |
| @@ -565,6 +570,11 @@ static void parse_dict_data(parse_ctx ctx, plist_t dict) | |||
| 565 | break; | 570 | break; |
| 566 | } | 571 | } |
| 567 | parse_skip_ws(ctx); | 572 | parse_skip_ws(ctx); |
| 573 | if (ctx->pos >= ctx->end) { | ||
| 574 | PLIST_OSTEP_ERR("EOF while parsing dictionary item terminator ';' at offset %ld\n", ctx->pos - ctx->start); | ||
| 575 | ctx->err++; | ||
| 576 | break; | ||
| 577 | } | ||
| 568 | if (*ctx->pos != ';') { | 578 | if (*ctx->pos != ';') { |
| 569 | plist_free(val); | 579 | plist_free(val); |
| 570 | plist_free(key); | 580 | plist_free(key); |
| @@ -599,6 +609,11 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist) | |||
| 599 | if (ctx->err) { | 609 | if (ctx->err) { |
| 600 | goto err_out; | 610 | goto err_out; |
| 601 | } | 611 | } |
| 612 | if (ctx->pos >= ctx->end) { | ||
| 613 | PLIST_OSTEP_ERR("EOF while parsing dictionary terminator '}' at offset %ld\n", ctx->pos - ctx->start); | ||
| 614 | ctx->err++; | ||
| 615 | break; | ||
| 616 | } | ||
| 602 | if (*ctx->pos != '}') { | 617 | if (*ctx->pos != '}') { |
| 603 | PLIST_OSTEP_ERR("Missing terminating '}' at offset %ld\n", ctx->pos - ctx->start); | 618 | PLIST_OSTEP_ERR("Missing terminating '}' at offset %ld\n", ctx->pos - ctx->start); |
| 604 | ctx->err++; | 619 | ctx->err++; |
| @@ -615,7 +630,7 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist) | |||
| 615 | plist_t tmp = NULL; | 630 | plist_t tmp = NULL; |
| 616 | while (ctx->pos < ctx->end && !ctx->err) { | 631 | while (ctx->pos < ctx->end && !ctx->err) { |
| 617 | parse_skip_ws(ctx); | 632 | parse_skip_ws(ctx); |
| 618 | if (*ctx->pos == ')') { | 633 | if (ctx->pos >= ctx->end || *ctx->pos == ')') { |
| 619 | break; | 634 | break; |
| 620 | } | 635 | } |
| 621 | ctx->err = node_from_openstep(ctx, &tmp); | 636 | ctx->err = node_from_openstep(ctx, &tmp); |
| @@ -629,6 +644,11 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist) | |||
| 629 | plist_array_append_item(subnode, tmp); | 644 | plist_array_append_item(subnode, tmp); |
| 630 | tmp = NULL; | 645 | tmp = NULL; |
| 631 | parse_skip_ws(ctx); | 646 | parse_skip_ws(ctx); |
| 647 | if (ctx->pos >= ctx->end) { | ||
| 648 | PLIST_OSTEP_ERR("EOF while parsing array item delimiter ',' at offset %ld\n", ctx->pos - ctx->start); | ||
| 649 | ctx->err++; | ||
| 650 | break; | ||
| 651 | } | ||
| 632 | if (*ctx->pos != ',') { | 652 | if (*ctx->pos != ',') { |
| 633 | break; | 653 | break; |
| 634 | } | 654 | } |
| @@ -637,6 +657,11 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist) | |||
| 637 | if (ctx->err) { | 657 | if (ctx->err) { |
| 638 | goto err_out; | 658 | goto err_out; |
| 639 | } | 659 | } |
| 660 | if (ctx->pos >= ctx->end) { | ||
| 661 | PLIST_OSTEP_ERR("EOF while parsing array terminator ')' at offset %ld\n", ctx->pos - ctx->start); | ||
| 662 | ctx->err++; | ||
| 663 | break; | ||
| 664 | } | ||
| 640 | if (*ctx->pos != ')') { | 665 | if (*ctx->pos != ')') { |
| 641 | PLIST_OSTEP_ERR("Missing terminating ')' at offset %ld\n", ctx->pos - ctx->start); | 666 | PLIST_OSTEP_ERR("Missing terminating ')' at offset %ld\n", ctx->pos - ctx->start); |
| 642 | ctx->err++; | 667 | ctx->err++; |
| @@ -652,6 +677,11 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist) | |||
| 652 | bytearray_t *bytes = byte_array_new(256); | 677 | bytearray_t *bytes = byte_array_new(256); |
| 653 | while (ctx->pos < ctx->end && !ctx->err) { | 678 | while (ctx->pos < ctx->end && !ctx->err) { |
| 654 | parse_skip_ws(ctx); | 679 | parse_skip_ws(ctx); |
| 680 | if (ctx->pos >= ctx->end) { | ||
| 681 | PLIST_OSTEP_ERR("EOF while parsing data terminator '>' at offset %ld\n", ctx->pos - ctx->start); | ||
| 682 | ctx->err++; | ||
| 683 | break; | ||
| 684 | } | ||
| 655 | if (*ctx->pos == '>') { | 685 | if (*ctx->pos == '>') { |
| 656 | break; | 686 | break; |
| 657 | } | 687 | } |