summaryrefslogtreecommitdiffstats
path: root/src/bplist.c
AgeCommit message (Collapse)AuthorFilesLines
2017-04-20bplist: Fix missing break in switch statement in plist_to_bin()Gravatar Nikias Bassen1-0/+1
Credit to Christophe Fergeau
2017-04-20bplist: Suppress compiler warnings with proper castsGravatar Nikias Bassen1-3/+3
2017-04-19bplist: Fix integer overflow check (offset table size)Gravatar Nikias Bassen1-3/+17
2017-03-26bplist: Make sure sanity checks work on 32bit platformsGravatar Nikias Bassen1-10/+14
Because on 32-bit platforms 32-bit pointers and 64-bit sizes have been used for the sanity checks of the offset table and object references, the range checks would fail in certain interger-overflowish situations, causing heap buffer overflows or other unwanted behavior. Fixed by wideing the operands in question to 64-bit.
2017-02-10bplist: Fix data range check for string/data/dict/array nodesGravatar Nikias Bassen1-6/+6
Passing a size of 0xFFFFFFFFFFFFFFFF to parse_string_node() might result in a memcpy with a size of -1, leading to undefined behavior. This commit makes sure that the actual node data (which depends on the size) is in the range start_of_object..start_of_object+size. Credit to OSS-Fuzz
2017-02-10bplist: Fix integer overflow resulting in OOB heap buffer readGravatar Nikias Bassen1-0/+5
Credit to OSS-Fuzz
2017-02-09bplist: Make sure to detect integer overflow when handling unicode node sizeGravatar Nikias Bassen1-0/+4
Credit to OSS-Fuzz
2017-02-07bplist: Properly handle some more malloc() failure situationsGravatar Nikias Bassen1-3/+18
2017-02-07bplist: Make sure to bail out if malloc() fails in parse_unicode_node()Gravatar Nikias Bassen1-0/+5
Credit to OSS-Fuzz
2017-02-07bplist: Make sure to bail out if malloc() fails in parse_data_node()Gravatar Nikias Bassen1-0/+5
Credit to OSS-Fuzz
2017-02-07bplist: Make sure to bail out if malloc() fails in parse_string_node()Gravatar Nikias Bassen1-0/+5
Credit to Wang Junjie <zhunkibatu@gmail.com> (#93)
2017-02-06bplist: Plug memory leak in case parsing a dictionary key failsGravatar Nikias Bassen1-0/+1
2017-02-06bplist: Refine some debug/error messages in parse_dict_node()Gravatar Nikias Bassen1-4/+4
2017-02-05bplist: Suppress compiler warnings about format specifiers in error messagesGravatar Nikias Bassen1-8/+9
2017-02-05bplist: Add error/debug logging (only if configured with --enable-debug)Gravatar Nikias Bassen1-31/+112
This commit adds proper debug/error messages being printed if the binary plist parser encounters anything abnormal. To enable debug logging, libplist must be configured with --enable-debug, and the environment variable PLIST_BIN_DEBUG must be set to "1".
2017-02-05bplist: Make sure node data is always before the offset tableGravatar Nikias Bassen1-14/+14
2017-02-05bplist: Make sure the offset table is in the correct rangeGravatar Nikias Bassen1-4/+9
2017-02-05bplist: Make sure node index is smaller than number of objectsGravatar Nikias Bassen1-1/+1
2017-02-04bplist: Fix OOB write on heap buffer and improve recursion checkGravatar Nikias Bassen1-8/+14
Issue #92 pointed out an problem with (invalid) bplist files which have exactly one structured node whose subnode reference itself. The recursion check used a fixed size array with the size of the total number of objects. In this case the number of objects is 1 but the recursion check code wanted to set the node_index for the level 1 which leads to an OOB write on the heap. This commit fixes/improves two things: 1) Prevent OOB write by using a dynamic data storage for the used node indexes (plist_t of type PLIST_ARRAY) 2) Reduces the memory usage of large binary plists, because not the total number of nodes in the binary plist, but the number of recursion levels is important for the recursion check.
2017-02-03bplist: Prevent OOB read when parsing data/string/array/dict size nodesGravatar Nikias Bassen1-0/+2
As reported in #91, the code that will read the big endian integer value of variable size did not check if the actual number of bytes is still withing the range of the actual plist data. This commit fixes the issue with proper bounds checking.
2017-02-03bplist: Unify size node parsing for data/string/array/dict nodesGravatar Nikias Bassen1-45/+24
2017-02-01bplist: Fix possible out-of-bounds read in parse_array_node() with proper ↵Gravatar Nikias Bassen1-4/+12
bounds checking
2017-02-01bplist: Avoid heap buffer allocation when parsing array/dict/string/data ↵Gravatar Nikias Bassen1-20/+25
node sizes > 14 The sizes where effectively parsed by calling parse_uint_node() which allocates a node_t (along with plist_data_t) that is immediately freed after retrieving the integer value it holds. This commit changes the code to directly operate on the binary stream to 'just' read the size instead, reducing the memory footprint further.
2017-01-28bplist: Don't duplicate output buffer in plist_to_bin()Gravatar Nikias Bassen1-4/+4
2017-01-28bplist: Improve parsing unicode nodesGravatar Nikias Bassen1-23/+10
2017-01-28bplist: Improve writing of offset tableGravatar Nikias Bassen1-12/+3
2017-01-28bplist: Improve writing of array and dictionary nodesGravatar Nikias Bassen1-54/+17
2017-01-28bplist: Improve writing of data, string, and unicode nodesGravatar Nikias Bassen1-18/+7
2017-01-28bplist: Improve writing of UID nodesGravatar Nikias Bassen1-12/+6
2017-01-28bplist: Improve writing of integer nodesGravatar Nikias Bassen1-21/+12
2017-01-28bplist: Improve real/date node de/serializationGravatar Nikias Bassen1-65/+56
2017-01-25bplist: Fix UID node parsing to match Apple's parserGravatar Nikias Bassen1-14/+7
Apple only allows 32 bit unsigned values for UID nodes. Also the encoding of the length is different from the encoding used for other node types. The nibble used to mark the size is 1 less than the actual size of the integer value data, so 0 means 1 byte length 1 means 2 bytes length, etc.
2017-01-25bplist: Improve integer node parsing, remove unnecessary memcpy()Gravatar Nikias Bassen1-4/+2
2017-01-19bplist: Check for invalid ref_size in bplist trailerGravatar Nikias Bassen1-0/+3
2017-01-19bplist: Mass-rename 'dict_size' and 'param_dict_size' to more appropriate ↵Gravatar Nikias Bassen1-30/+30
'ref_size'
2017-01-19bplist: Use proper struct for binary plist trailerGravatar Nikias Bassen1-47/+31
2017-01-19bplist: Check for invalid offset_size in bplist trailerGravatar Wang Junjie1-0/+3
2017-01-18bplist: Improve UINT_TO_HOST macro, remove uint24_from_be functionGravatar Nikias Bassen1-17/+11
The uint24_from_be function used memcpy and a call to byte_convert. Instead the macro now shifts the data appropriately with a new beNtoh macro that eventually uses be64toh. This commit also fixes the problem where binary plist data with other non-power-of-2 sizes (like 5,6, or 7) where not handled correctly, and actually supports sizes larger than 8 bytes though only the last 8 bytes are actually converted (nobody will come up with such a large plist anyway).
2017-01-16bplist: Disallow key nodes with non-string node typesGravatar Nikias Bassen1-0/+7
As reported in #86, the binary plist parser would force the type of the key node to be of type PLIST_KEY while the node might be of a different i.e. non-string type. A following plist_free() might then call free() on an invalid pointer; e.g. if the node is of type integer, its value would be considered a pointer, and free() would cause an error. We prevent this issue by disallowing non-string key nodes during parsing.
2016-11-18bplist: Remove misleading/redundant `else` from BPLIST_DATE case in ↵Gravatar Nikias Bassen1-4/+3
parse_bin_node
2016-11-18Improve plist_dict_set_item performance for large dictionaries with hash tableGravatar Nikias Bassen1-1/+1
2016-11-13bplist: Fix surrogate parsing range to include U+100000 - U+1FFFFFGravatar Nikias Bassen1-2/+2
2016-11-10bplist: Make sure to error out if allocation of `used_indexes` buffer in ↵Gravatar Filippo Bigarella1-0/+6
plist_from_bin() fails If the allocation fails, a lot of bad things can happen so we check the result and return accordingly. We also check that the multiplication used to calculate the buffer size doesn't overflow. Otherwise this could lead to an allocation of a very small buffer compared to what we need, ultimately leading to arbitrary writes later on.
2016-11-10bplist: Prevent out-of-bounds read in plist_from_bin() when parsing offset_tableGravatar Filippo Bigarella1-1/+9
offset_table_index is read from the file, so we have full control over it. This means we can point offset_table essentially anywhere we want, which can lead to an out-of-bounds read when it will be used later on.
2016-11-10bplist: Make sure the index in parse_bin_node_at_index() is actually within ↵Gravatar Filippo Bigarella1-4/+13
the offset table
2016-11-10bplist: Fix possible out-of-bounds reads in parse_bin_node() with proper ↵Gravatar Filippo Bigarella1-0/+21
bounds checking
2016-11-10bplist: Fix possible out-of-bounds read in parse_dict_node() with proper ↵Gravatar Filippo Bigarella1-2/+13
bounds checking
2016-10-22Remove libxml2 dependency in favor of custom XML parsingGravatar Nikias Bassen1-2/+1
2016-09-19Change internal storage of PLIST_DATE values from struct timeval to doubleGravatar Nikias Bassen1-9/+2
This removes the timeval union member from the plist_data_t structure. Since struct timeval is 2x64bit on 64bit platforms this member unnecessarily grew the union size to 16 bytes while a size of 8 bytes is sufficient. Also, on 32bit platforms struct timeval is only 2x32bit of size, limiting the range of possible time values. In addition the binary property list format also stores PLIST_DATE nodes as double.
2016-05-12bplist: Speed up plist_to_bin conversion for large plistsGravatar Nikias Bassen1-4/+7
Using a better hashing algorithm and a larger hash table the conversion is A LOT faster when processing large plists. Thanks to Xiao Deng for reporting this issue and suggesting a fix.