From fc047e6de9d7afa3b168fd2c4d1d0884788e7086 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Fri, 3 Feb 2017 23:33:07 +0100
Subject: bplist: Prevent OOB read when parsing data/string/array/dict size
 nodes

As reported in #91, the code that will read the big endian integer value
of variable size did not check if the actual number of bytes is still
withing the range of the actual plist data.
This commit fixes the issue with proper bounds checking.
---
 src/bplist.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/bplist.c b/src/bplist.c
index 1a40556..0cfe5fe 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -530,6 +530,8 @@ static plist_t parse_bin_node(struct bplist_data *bplist, const char** object)
                 return NULL;
             (*object)++;
             next_size = 1 << next_size;
+            if (*object + next_size >= bplist->data + bplist->size)
+                return NULL;
             size = UINT_TO_HOST(*object, next_size);
             (*object) += next_size;
             break;
-- 
cgit v1.1-32-gdbae