File 0010-Make-sure-to-error-out-if-allocation-of-used_indexes-buffer-in-plist_from_bin-fails.patch of Package libplist.4090

From 23fe533a0f0f34e9cb1d2e328107958645d54ed1 Mon Sep 17 00:00:00 2001
From: Filippo Bigarella <filippobigarella@gmail.com>
Date: Thu, 10 Nov 2016 01:34:02 +0100
Subject: [PATCH] bplist: Make sure to error out if allocation of
 `used_indexes` buffer in plist_from_bin() fails

If the allocation fails, a lot of bad things can happen so we check the
result and return accordingly. We also check that the multiplication used
to calculate the buffer size doesn't overflow. Otherwise this could lead
to an allocation of a very small buffer compared to what we need, ultimately
leading to arbitrary writes later on.
---
 src/bplist.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/bplist.c b/src/bplist.c
index be82b4e..49d29c5 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -742,6 +742,9 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
     if (offset_table + num_objects * offset_size >= plist_bin + length)
         return;
 
+    if (sizeof(uint32_t) * num_objects < num_objects)
+        return;
+
     struct bplist_data bplist;
     bplist.data = plist_bin;
     bplist.size = length;
@@ -752,6 +755,9 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
     bplist.level = 0;
     bplist.used_indexes = (uint32_t*)malloc(sizeof(uint32_t) * num_objects);
 
+    if (!bplist.used_indexes)
+        return;
+
     *plist = parse_bin_node_at_index(&bplist, root_object);
 
     free(bplist.used_indexes);