summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorGravatar Filippo Bigarella2016-11-10 01:24:29 +0100
committerGravatar Nikias Bassen2016-11-10 01:24:29 +0100
commit1ae55728f427532234be85a90322e4a3c77b4074 (patch)
tree55dfe72ec6ea98b2eb7a7a9e8c12ebbe03cbe7ab /src
parentb86a392b819518cf37db78140d4ed4418c0177da (diff)
downloadlibplist-1ae55728f427532234be85a90322e4a3c77b4074.tar.gz
libplist-1ae55728f427532234be85a90322e4a3c77b4074.tar.bz2
bplist: Make sure the index in parse_bin_node_at_index() is actually within the offset table
Diffstat (limited to 'src')
-rw-r--r--src/bplist.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/src/bplist.c b/src/bplist.c
index dad72a6..8447187 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -661,11 +661,20 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object)
static plist_t parse_bin_node_at_index(struct bplist_data *bplist, uint32_t node_index)
{
- int i;
- const char* ptr;
- plist_t plist;
+ int i = 0;
+ const char* ptr = NULL;
+ plist_t plist = NULL;
+ const char* idx_ptr = NULL;
- ptr = bplist->data + UINT_TO_HOST(bplist->offset_table + node_index * bplist->offset_size, bplist->offset_size);
+ if (node_index > bplist->num_objects)
+ return NULL;
+
+ idx_ptr = bplist->offset_table + node_index * bplist->offset_size;
+ if (idx_ptr < bplist->offset_table ||
+ idx_ptr >= bplist->offset_table + bplist->num_objects * bplist->offset_size)
+ return NULL;
+
+ ptr = bplist->data + UINT_TO_HOST(idx_ptr, bplist->offset_size);
/* make sure the node offset is in a sane range */
if ((ptr < bplist->data) || (ptr >= bplist->offset_table)) {
return NULL;