oplist: Fix OOB read by checking bounds properly
Credit to OSS-Fuzz
diff --git a/src/oplist.c b/src/oplist.c
index df12fb3..21d8a64 100644
--- a/src/oplist.c
+++ b/src/oplist.c
@@ -550,7 +550,7 @@
if (ctx->pos >= ctx->end) {
PLIST_OSTEP_ERR("EOF while parsing dictionary item at offset %ld\n", ctx->pos - ctx->start);
ctx->err++;
- break;
+ break;
}
val = NULL;
ctx->err = node_from_openstep(ctx, &val);
@@ -710,6 +710,11 @@
}
ctx->pos++;
}
+ if (ctx->pos >= ctx->end) {
+ PLIST_OSTEP_ERR("EOF while parsing quoted string at offset %ld\n", ctx->pos - ctx->start);
+ ctx->err++;
+ goto err_out;
+ }
if (*ctx->pos != c) {
plist_free_data(data);
PLIST_OSTEP_ERR("Missing closing quote (%c) at offset %ld\n", c, ctx->pos - ctx->start);