File libplist-boo1035312-overflow-fixes.patch of Package libplist.4095

From fdebf8b319b9280cd0e9b4382f2c7cbf26ef9325 Mon Sep 17 00:00:00 2001
From: Nikias Bassen <nikias@gmx.li>
Date: Wed, 19 Apr 2017 19:32:34 +0200
Subject: [PATCH 17/31] bplist: Fix integer overflow check (offset table size)

Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp libplist-1.12.orig/src/bplist.c libplist-1.12/src/bplist.c
--- libplist-1.12.orig/src/bplist.c	2017-05-01 12:59:08.956613607 -0500
+++ libplist-1.12/src/bplist.c	2017-05-01 13:03:48.037796333 -0500
@@ -179,6 +179,20 @@ union plist_uint_ptr
 #endif
 
 
+#ifndef __has_builtin
+#define __has_builtin(x) 0
+#endif
+
+#if __has_builtin(__builtin_umulll_overflow) || __GNUC__ >= 5
+#define uint64_mul_overflow(a, b, r) __builtin_umulll_overflow(a, b, r)
+#else
+static int uint64_mul_overflow(uint64_t a, uint64_t b, uint64_t *res)
+{
+    *res = a * b;
+    return (a > UINT64_MAX / b);
+}
+#endif
+
 #define NODE_IS_ROOT(x) (((node_t*)x)->isRoot)
 
 struct bplist_data {
@@ -703,6 +717,7 @@ PLIST_API void plist_from_bin(const char
     uint64_t num_objects = 0;
     uint64_t root_object = 0;
     const char *offset_table = NULL;
+    uint64_t offset_table_size = 0;
     const char *start_data = NULL;
     const char *end_data = NULL;
 
@@ -740,7 +755,10 @@ PLIST_API void plist_from_bin(const char
     if (offset_table < start_data || offset_table >= end_data)
         return;
 
-    if (offset_table + num_objects * offset_size > end_data)
+    if (uint64_mul_overflow(num_objects, offset_size, &offset_table_size))
+        return;
+
+    if ((offset_table + offset_table_size < offset_table) || (offset_table + offset_table_size > end_data))
         return;
 
     struct bplist_data bplist;