From b1be1e99dd1f489720e83d018bcbdb91fb1e87e5 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Thu, 9 Feb 2017 14:50:48 +0100
Subject: bplist: Make sure to detect integer overflow when handling unicode
 node size

Credit to OSS-Fuzz
---
 src/bplist.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/bplist.c b/src/bplist.c
index bf8d985..da7bb63 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -668,6 +668,10 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object)
         return parse_string_node(object, size);
 
     case BPLIST_UNICODE:
+        if (size*2 < size) {
+            PLIST_BIN_ERR("%s: Integer overflow when calculating BPLIST_UNICODE data size.\n", __func__);
+            return NULL;
+        }
         if (*object + size*2 > bplist->offset_table) {
             PLIST_BIN_ERR("%s: BPLIST_UNICODE data bytes point outside of valid range\n", __func__);
             return NULL;
-- 
cgit v1.1-32-gdbae