Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
libplist.4090
0017-Fix-possible-out-of-bounds-read-in-parse_a...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0017-Fix-possible-out-of-bounds-read-in-parse_array_node-with-proper-bounds-checking.patch of Package libplist.4090
From 4765d9a60ca4248a8f89289271ac69cbffcc29bc Mon Sep 17 00:00:00 2001 From: Nikias Bassen <nikias@gmx.li> Date: Wed, 1 Feb 2017 20:22:38 +0100 Subject: [PATCH] bplist: Fix possible out-of-bounds read in parse_array_node() with proper bounds checking --- src/bplist.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/bplist.c b/src/bplist.c index 2e32f70..a73f1ee 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -447,10 +447,11 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u static plist_t parse_array_node(struct bplist_data *bplist, const char** bnode, uint64_t size) { uint64_t j; - uint32_t str_j = 0; - uint32_t index1; - + uint64_t str_j = 0; + uint64_t index1; plist_data_t data = plist_new_plist_data(); + const char *const end_data = bplist->data + bplist->size; + const char *index1_ptr = NULL; data->type = PLIST_ARRAY; data->length = size; @@ -459,7 +460,14 @@ static plist_t parse_array_node(struct bplist_data *bplist, const char** bnode, for (j = 0; j < data->length; j++) { str_j = j * bplist->ref_size; - index1 = UINT_TO_HOST((*bnode) + str_j, bplist->ref_size); + index1_ptr = (*bnode) + str_j; + + if (index1_ptr < bplist->data || index1_ptr + bplist->ref_size >= end_data) { + plist_free(node); + return NULL; + } + + index1 = UINT_TO_HOST(index1_ptr, bplist->ref_size); if (index1 >= bplist->num_objects) { plist_free(node);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor