commit 5bdbd3fe620e66a65373524a0707909ca926a3a1
author Nikias Bassen <nikias@gmx.li> Mon Jan 09 19:07:54 2023 +0100
committer Nikias Bassen <nikias@gmx.li> Mon Jan 09 19:07:54 2023 +0100
tree 5e429417afcc2720af40c102b9c3dfea7ece8738
parent 62b03b85a56a7b98e6eef237deeff1a8b41f8fb8

oplist: Fix OOB read by checking bounds properly

Credit to OSS-Fuzz

src/oplist.c

diff --git a/src/oplist.c b/src/oplist.c
index df12fb3..21d8a64 100644
--- a/src/oplist.c
+++ b/src/oplist.c
@@ -550,7 +550,7 @@
         if (ctx->pos >= ctx->end) {
             PLIST_OSTEP_ERR("EOF while parsing dictionary item at offset %ld\n", ctx->pos - ctx->start);
             ctx->err++;
-                    break;
+            break;
         }
         val = NULL;
         ctx->err = node_from_openstep(ctx, &val);
@@ -710,6 +710,11 @@
                 }
                 ctx->pos++;
             }
+            if (ctx->pos >= ctx->end) {
+                PLIST_OSTEP_ERR("EOF while parsing quoted string at offset %ld\n", ctx->pos - ctx->start);
+                ctx->err++;
+                goto err_out;
+            }
             if (*ctx->pos != c) {
                 plist_free_data(data);
                 PLIST_OSTEP_ERR("Missing closing quote (%c) at offset %ld\n", c, ctx->pos - ctx->start);