bplist: Fix integer overflow resulting in OOB heap buffer read Credit to OSS-Fuzz

commit: 72f7cf803635a127c63bcd37ab35ced28636410a [log] [tgz]
author: Nikias Bassen <nikias@gmx.li> Fri Feb 10 05:01:09 2017 +0100
committer: Nikias Bassen <nikias@gmx.li> Fri Feb 10 05:01:09 2017 +0100
tree: 909d15ea8bc3a70fe92b95d7754f5dffb3d79d0a
parent: 8e4b7a591c6a31b960d6e9e769c8efe15751df97 [diff]
diff --git a/src/bplist.c b/src/bplist.c
index da7bb63..0fd149e 100644
--- a/src/bplist.c
+++ b/src/bplist.c

@@ -825,6 +825,11 @@
         return;
     }
 
+    if (num_objects * offset_size < num_objects) {
+        PLIST_BIN_ERR("integer overflow when calculating offset table size (too many objects)\n");
+        return;
+    }
+
     if (offset_table + num_objects * offset_size > end_data) {
         PLIST_BIN_ERR("offset table points outside of valid range\n");
         return;
commit	72f7cf803635a127c63bcd37ab35ced28636410a	[log] [tgz]
author	Nikias Bassen <nikias@gmx.li>	Fri Feb 10 05:01:09 2017 +0100
committer	Nikias Bassen <nikias@gmx.li>	Fri Feb 10 05:01:09 2017 +0100
tree	909d15ea8bc3a70fe92b95d7754f5dffb3d79d0a
parent	8e4b7a591c6a31b960d6e9e769c8efe15751df97 [diff]