Age | Commit message (Collapse) | Author | Files | Lines | |
---|---|---|---|---|---|
2017-03-29 | xplist: Make XML parsing non-recursive to prevent stack overflow on ↵ | Nikias Bassen | 1 | -79/+103 | |
deep-structured plists Credit to OSS-Fuzz | |||||
2017-03-26 | bplist: Make sure sanity checks work on 32bit platforms | Nikias Bassen | 1 | -10/+14 | |
Because on 32-bit platforms 32-bit pointers and 64-bit sizes have been used for the sanity checks of the offset table and object references, the range checks would fail in certain interger-overflowish situations, causing heap buffer overflows or other unwanted behavior. Fixed by wideing the operands in question to 64-bit. | |||||
2017-02-18 | base64: Prevent undefined shift when parsing invalid base64 encoded data | Nikias Bassen | 1 | -3/+3 | |
Credit to OSS-Fuzz | |||||
2017-02-15 | xplist: Improve writing of large PLIST_DATA nodes by growing buffer in advance | Nikias Bassen | 4 | -3/+11 | |
Instead of letting the buffer grow by just the amount of bytes currently transformed to base64 - which is basically line by line - we now calculate the size of the output blob in advance and grow the buffer accordingly. This will reduce the amount of reallocs to just one, which is especially important for large data blobs. While this is a general improvement for all platforms, it is on platforms like Windows where realloc() can be REALLY slow; converting a 20mb blob to XML can easily take up to a minute (due to the several hundred thousand calls to realloc()). With this commit, it will be fast again. | |||||
2017-02-10 | bplist: Fix data range check for string/data/dict/array nodes | Nikias Bassen | 1 | -6/+6 | |
Passing a size of 0xFFFFFFFFFFFFFFFF to parse_string_node() might result in a memcpy with a size of -1, leading to undefined behavior. This commit makes sure that the actual node data (which depends on the size) is in the range start_of_object..start_of_object+size. Credit to OSS-Fuzz | |||||
2017-02-10 | bplist: Fix integer overflow resulting in OOB heap buffer read | Nikias Bassen | 1 | -0/+5 | |
Credit to OSS-Fuzz | |||||
2017-02-09 | xplist: Fix OOB heap buffer read with empty data nodes | Nikias Bassen | 1 | -2/+4 | |
Credit to OSS-Fuzz | |||||
2017-02-09 | bplist: Make sure to detect integer overflow when handling unicode node size | Nikias Bassen | 1 | -0/+4 | |
Credit to OSS-Fuzz | |||||
2017-02-09 | xplist: Prevent assert when parsing CF$UID dict with invalid value node | Nikias Bassen | 1 | -0/+5 | |
Credit to OSS-Fuzz | |||||
2017-02-08 | xplist: Use proper variable size for integer from string parsing | Nikias Bassen | 1 | -2/+2 | |
2017-02-07 | plist: Fix assert() to allow 16 or 8 byte integer sizes (16 bytes = unsigned ↵ | Nikias Bassen | 1 | -1/+1 | |
integer) Credit to Wang Junjie <zhunkibatu@gmail.com> (#90) Credit to OSS-Fuzz | |||||
2017-02-07 | bplist: Properly handle some more malloc() failure situations | Nikias Bassen | 1 | -3/+18 | |
2017-02-07 | bplist: Make sure to bail out if malloc() fails in parse_unicode_node() | Nikias Bassen | 1 | -0/+5 | |
Credit to OSS-Fuzz | |||||
2017-02-07 | bplist: Make sure to bail out if malloc() fails in parse_data_node() | Nikias Bassen | 1 | -0/+5 | |
Credit to OSS-Fuzz | |||||
2017-02-07 | bplist: Make sure to bail out if malloc() fails in parse_string_node() | Nikias Bassen | 1 | -0/+5 | |
Credit to Wang Junjie <zhunkibatu@gmail.com> (#93) | |||||
2017-02-07 | xplist: Prevent some more strncmp related OOB reads | Nikias Bassen | 1 | -4/+4 | |
2017-02-07 | xplist: Really fix OOB read when parsing DOCTYPE | Nikias Bassen | 1 | -1/+1 | |
2017-02-07 | xplist: unescape_entities(): Make sure text part buffer is null terminated ↵ | Nikias Bassen | 1 | -0/+1 | |
after strncpy | |||||
2017-02-07 | xplist: Fix OOB read when parsing DOCTYPE | Nikias Bassen | 1 | -1/+1 | |
2017-02-07 | xplist: Also fix OOB read in find_char() and find_str() functions | Nikias Bassen | 1 | -0/+8 | |
2017-02-07 | xplist: Prevent OOB read in two more cases | Nikias Bassen | 1 | -0/+10 | |
2017-02-07 | xplist: Fix OOB read when parsing double quotes | Nikias Bassen | 1 | -0/+4 | |
2017-02-07 | xplist: Fix OOB read when parsing node text content | Nikias Bassen | 1 | -1/+1 | |
2017-02-07 | xplist: Catch some more error conditions | Nikias Bassen | 1 | -34/+37 | |
2017-02-06 | xplist: Prevent memory leaks when parsing fails | Nikias Bassen | 1 | -37/+20 | |
2017-02-06 | bplist: Plug memory leak in case parsing a dictionary key fails | Nikias Bassen | 1 | -0/+1 | |
2017-02-06 | bplist: Refine some debug/error messages in parse_dict_node() | Nikias Bassen | 1 | -4/+4 | |
2017-02-05 | bplist: Suppress compiler warnings about format specifiers in error messages | Nikias Bassen | 1 | -8/+9 | |
2017-02-05 | bplist: Add error/debug logging (only if configured with --enable-debug) | Nikias Bassen | 2 | -31/+116 | |
This commit adds proper debug/error messages being printed if the binary plist parser encounters anything abnormal. To enable debug logging, libplist must be configured with --enable-debug, and the environment variable PLIST_BIN_DEBUG must be set to "1". | |||||
2017-02-05 | bplist: Make sure node data is always before the offset table | Nikias Bassen | 1 | -14/+14 | |
2017-02-05 | bplist: Make sure the offset table is in the correct range | Nikias Bassen | 1 | -4/+9 | |
2017-02-05 | bplist: Make sure node index is smaller than number of objects | Nikias Bassen | 1 | -1/+1 | |
2017-02-04 | bplist: Fix OOB write on heap buffer and improve recursion check | Nikias Bassen | 1 | -8/+14 | |
Issue #92 pointed out an problem with (invalid) bplist files which have exactly one structured node whose subnode reference itself. The recursion check used a fixed size array with the size of the total number of objects. In this case the number of objects is 1 but the recursion check code wanted to set the node_index for the level 1 which leads to an OOB write on the heap. This commit fixes/improves two things: 1) Prevent OOB write by using a dynamic data storage for the used node indexes (plist_t of type PLIST_ARRAY) 2) Reduces the memory usage of large binary plists, because not the total number of nodes in the binary plist, but the number of recursion levels is important for the recursion check. | |||||
2017-02-03 | bplist: Prevent OOB read when parsing data/string/array/dict size nodes | Nikias Bassen | 1 | -0/+2 | |
As reported in #91, the code that will read the big endian integer value of variable size did not check if the actual number of bytes is still withing the range of the actual plist data. This commit fixes the issue with proper bounds checking. | |||||
2017-02-03 | bplist: Unify size node parsing for data/string/array/dict nodes | Nikias Bassen | 1 | -45/+24 | |
2017-02-01 | bplist: Fix possible out-of-bounds read in parse_array_node() with proper ↵ | Nikias Bassen | 1 | -4/+12 | |
bounds checking | |||||
2017-02-01 | bplist: Avoid heap buffer allocation when parsing array/dict/string/data ↵ | Nikias Bassen | 1 | -20/+25 | |
node sizes > 14 The sizes where effectively parsed by calling parse_uint_node() which allocates a node_t (along with plist_data_t) that is immediately freed after retrieving the integer value it holds. This commit changes the code to directly operate on the binary stream to 'just' read the size instead, reducing the memory footprint further. | |||||
2017-01-28 | bplist: Don't duplicate output buffer in plist_to_bin() | Nikias Bassen | 1 | -4/+4 | |
2017-01-28 | bplist: Improve parsing unicode nodes | Nikias Bassen | 1 | -23/+10 | |
2017-01-28 | bplist: Improve writing of offset table | Nikias Bassen | 1 | -12/+3 | |
2017-01-28 | bplist: Improve writing of array and dictionary nodes | Nikias Bassen | 1 | -54/+17 | |
2017-01-28 | bplist: Improve writing of data, string, and unicode nodes | Nikias Bassen | 1 | -18/+7 | |
2017-01-28 | bplist: Improve writing of UID nodes | Nikias Bassen | 1 | -12/+6 | |
2017-01-28 | bplist: Improve writing of integer nodes | Nikias Bassen | 1 | -21/+12 | |
2017-01-28 | bplist: Improve real/date node de/serialization | Nikias Bassen | 1 | -65/+56 | |
2017-01-25 | bplist: Fix UID node parsing to match Apple's parser | Nikias Bassen | 1 | -14/+7 | |
Apple only allows 32 bit unsigned values for UID nodes. Also the encoding of the length is different from the encoding used for other node types. The nibble used to mark the size is 1 less than the actual size of the integer value data, so 0 means 1 byte length 1 means 2 bytes length, etc. | |||||
2017-01-25 | bplist: Improve integer node parsing, remove unnecessary memcpy() | Nikias Bassen | 1 | -4/+2 | |
2017-01-19 | bplist: Check for invalid ref_size in bplist trailer | Nikias Bassen | 1 | -0/+3 | |
2017-01-19 | bplist: Mass-rename 'dict_size' and 'param_dict_size' to more appropriate ↵ | Nikias Bassen | 1 | -30/+30 | |
'ref_size' | |||||
2017-01-19 | bplist: Use proper struct for binary plist trailer | Nikias Bassen | 1 | -47/+31 | |