From 9969b8ebeb2dd2ac66e4d18fc15d0340de6e8d0e Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Thu, 12 Feb 2026 02:43:50 +0100
Subject: bplist: Add overflow check to node offset pointer arithmetic

Credit to OSSFuzz
---
 src/bplist.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/bplist.c b/src/bplist.c
index 308b787..1187c7a 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -852,7 +852,13 @@ static plist_t parse_bin_node_at_index(struct bplist_data *bplist, uint32_t node
         return NULL;
     }
 
-    ptr = bplist->data + UINT_TO_HOST(idx_ptr, bplist->offset_size);
+    uint64_t node_offset = UINT_TO_HOST(idx_ptr, bplist->offset_size);
+    if (node_offset > (uint64_t)bplist->size) {
+        PLIST_BIN_ERR("node offset overflow (%llu)\n", node_offset);
+        bplist->err = PLIST_ERR_PARSE;
+        return NULL;
+    }
+    ptr = bplist->data + node_offset;
     /* make sure the node offset is in a sane range */
     if ((ptr < bplist->data+BPLIST_MAGIC_SIZE+BPLIST_VERSION_SIZE) || (ptr >= bplist->offset_table)) {
         PLIST_BIN_ERR("offset for node index %u points outside of valid range\n", node_index);
-- 
cgit v1.1-32-gdbae