bplist: Fix integer overflow resulting in OOB heap buffer read
Credit to OSS-Fuzz
diff --git a/src/bplist.c b/src/bplist.c
index da7bb63..0fd149e 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -825,6 +825,11 @@
return;
}
+ if (num_objects * offset_size < num_objects) {
+ PLIST_BIN_ERR("integer overflow when calculating offset table size (too many objects)\n");
+ return;
+ }
+
if (offset_table + num_objects * offset_size > end_data) {
PLIST_BIN_ERR("offset table points outside of valid range\n");
return;