oplist: Fix another OOB read
Credit to OSS-Fuzz
diff --git a/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264 b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
new file mode 100644
index 0000000..2fa08dc
--- /dev/null
+++ b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
@@ -0,0 +1 @@
+(<
\ No newline at end of file
diff --git a/src/oplist.c b/src/oplist.c
index 8936cce..4dd0df5 100644
--- a/src/oplist.c
+++ b/src/oplist.c
@@ -715,6 +715,13 @@
plist_free_data(data);
goto err_out;
}
+ if (ctx->pos >= ctx->end) {
+ byte_array_free(bytes);
+ plist_free_data(data);
+ PLIST_OSTEP_ERR("EOF while parsing data terminator '>' at offset %ld\n", ctx->pos - ctx->start);
+ ctx->err++;
+ goto err_out;
+ }
if (*ctx->pos != '>') {
byte_array_free(bytes);
plist_free_data(data);