diff options
Diffstat (limited to 'src/bplist.c')
| -rw-r--r-- | src/bplist.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/bplist.c b/src/bplist.c index 08fca87..b2d0e7c 100644 --- a/src/bplist.c +++ b/src/bplist.c | |||
| @@ -876,7 +876,14 @@ plist_err_t plist_from_bin(const char *plist_bin, uint32_t length, plist_t * pli | |||
| 876 | ref_size = trailer->ref_size; | 876 | ref_size = trailer->ref_size; |
| 877 | num_objects = be64toh(trailer->num_objects); | 877 | num_objects = be64toh(trailer->num_objects); |
| 878 | root_object = be64toh(trailer->root_object_index); | 878 | root_object = be64toh(trailer->root_object_index); |
| 879 | offset_table = (char *)(plist_bin + be64toh(trailer->offset_table_offset)); | 879 | |
| 880 | uint64_t offset_table_offset = be64toh(trailer->offset_table_offset); | ||
| 881 | uint64_t max_valid_offset = (uint64_t)length - sizeof(bplist_trailer_t); | ||
| 882 | if (offset_table_offset > max_valid_offset) { | ||
| 883 | PLIST_BIN_ERR("offset table offset outside of valid range\n"); | ||
| 884 | return PLIST_ERR_PARSE; | ||
| 885 | } | ||
| 886 | offset_table = (char *)(plist_bin + offset_table_offset); | ||
| 880 | 887 | ||
| 881 | if (num_objects == 0) { | 888 | if (num_objects == 0) { |
| 882 | PLIST_BIN_ERR("number of objects must be larger than 0\n"); | 889 | PLIST_BIN_ERR("number of objects must be larger than 0\n"); |