Age | Commit message (Collapse) | Author | Files | Lines |
|
Credit to OSS-Fuzz
|
|
Credit to OSS-Fuzz
|
|
|
|
Credit to OSS-Fuzz
|
|
Credit to OSS-Fuzz
|
|
Credit to Wang Junjie <zhunkibatu@gmail.com> (#93)
|
|
|
|
|
|
|
|
This commit adds proper debug/error messages being printed if the binary
plist parser encounters anything abnormal. To enable debug logging,
libplist must be configured with --enable-debug, and the environment
variable PLIST_BIN_DEBUG must be set to "1".
|
|
|
|
|
|
|
|
Issue #92 pointed out an problem with (invalid) bplist files which have
exactly one structured node whose subnode reference itself.
The recursion check used a fixed size array with the size of the total number
of objects. In this case the number of objects is 1 but the recursion check
code wanted to set the node_index for the level 1 which leads to an OOB write
on the heap. This commit fixes/improves two things:
1) Prevent OOB write by using a dynamic data storage for the used node
indexes (plist_t of type PLIST_ARRAY)
2) Reduces the memory usage of large binary plists, because not the total
number of nodes in the binary plist, but the number of recursion levels
is important for the recursion check.
|
|
As reported in #91, the code that will read the big endian integer value
of variable size did not check if the actual number of bytes is still
withing the range of the actual plist data.
This commit fixes the issue with proper bounds checking.
|
|
|
|
bounds checking
|
|
node sizes > 14
The sizes where effectively parsed by calling parse_uint_node() which
allocates a node_t (along with plist_data_t) that is immediately freed
after retrieving the integer value it holds.
This commit changes the code to directly operate on the binary stream
to 'just' read the size instead, reducing the memory footprint further.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Apple only allows 32 bit unsigned values for UID nodes. Also the encoding
of the length is different from the encoding used for other node types.
The nibble used to mark the size is 1 less than the actual size of the integer
value data, so 0 means 1 byte length 1 means 2 bytes length, etc.
|
|
|
|
|
|
'ref_size'
|
|
|
|
|
|
The uint24_from_be function used memcpy and a call to byte_convert.
Instead the macro now shifts the data appropriately with a new beNtoh
macro that eventually uses be64toh.
This commit also fixes the problem where binary plist data with other
non-power-of-2 sizes (like 5,6, or 7) where not handled correctly,
and actually supports sizes larger than 8 bytes though only the last
8 bytes are actually converted (nobody will come up with such a large
plist anyway).
|
|
As reported in #86, the binary plist parser would force the type of the
key node to be of type PLIST_KEY while the node might be of a different
i.e. non-string type. A following plist_free() might then call free() on
an invalid pointer; e.g. if the node is of type integer, its value would
be considered a pointer, and free() would cause an error.
We prevent this issue by disallowing non-string key nodes during parsing.
|
|
parse_bin_node
|
|
|
|
|
|
plist_from_bin() fails
If the allocation fails, a lot of bad things can happen so we check the
result and return accordingly. We also check that the multiplication used
to calculate the buffer size doesn't overflow. Otherwise this could lead
to an allocation of a very small buffer compared to what we need, ultimately
leading to arbitrary writes later on.
|
|
offset_table_index is read from the file, so we have full control over it.
This means we can point offset_table essentially anywhere we want, which can
lead to an out-of-bounds read when it will be used later on.
|
|
the offset table
|
|
bounds checking
|
|
bounds checking
|
|
|
|
This removes the timeval union member from the plist_data_t structure.
Since struct timeval is 2x64bit on 64bit platforms this member unnecessarily
grew the union size to 16 bytes while a size of 8 bytes is sufficient.
Also, on 32bit platforms struct timeval is only 2x32bit of size, limiting the
range of possible time values. In addition the binary property list format
also stores PLIST_DATE nodes as double.
|
|
Using a better hashing algorithm and a larger hash table the conversion
is A LOT faster when processing large plists. Thanks to Xiao Deng for
reporting this issue and suggesting a fix.
|
|
|
|
When parsing binary plists with BPLIST_DICT or BPLIST_ARRAY nodes that are
referenced multiple times in a particular file, a buffer was allocated that
was not used, and also not freed, thus causing memory leaks.
|
|
freed memory
Given a specifically ordered binary plist the function plist_from_bin() would
free BPLIST_DICT or BPLIST_ARRAY raw node data that is still required for
parsing of following nodes. This commit addresses this issues by moving the
memory free to the end of the parsing process.
|
|
The parsing logic for binary dictionaries wrongly enforced the key type even
on nodes that were already parsed as value nodes. This caused the resulting
plist_t node tree to have key nodes instead of value nodes within dictionaries
for some valid binary plists. This commit should also generally fixes parsing
of binary plist files which use an efficient dictionary reference table.
|
|
|