From 72f7cf803635a127c63bcd37ab35ced28636410a Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Fri, 10 Feb 2017 05:01:09 +0100
Subject: bplist: Fix integer overflow resulting in OOB heap buffer read

Credit to OSS-Fuzz
---
 src/bplist.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/bplist.c b/src/bplist.c
index da7bb63..0fd149e 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -825,6 +825,11 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
         return;
     }
 
+    if (num_objects * offset_size < num_objects) {
+        PLIST_BIN_ERR("integer overflow when calculating offset table size (too many objects)\n");
+        return;
+    }
+
     if (offset_table + num_objects * offset_size > end_data) {
         PLIST_BIN_ERR("offset table points outside of valid range\n");
         return;
-- 
cgit v1.1-32-gdbae