Check binary plist offset size is valid.

3 files changed, 12 insertions, 0 deletions

diff --git a/src/binary/reader.rs b/src/binary/reader.rs
index e783dfb..11d5dfa 100644
--- a/src/binary/reader.rs
+++ b/src/binary/reader.rs
@@ -85,11 +85,17 @@ impl<R: Read + Seek> EventReader<R> {
         let trailer_start = self.reader.seek(SeekFrom::End(-32 + 6))?;
 
         let offset_size = self.reader.read_u8()?;
+        match offset_size {
+            1 | 2 | 4 | 8 => (),
+            _ => return Err(Error::InvalidData)
+        }
+
         self.ref_size = self.reader.read_u8()?;
         match self.ref_size {
             1 | 2 | 4 | 8 => (),
             _ => return Err(Error::InvalidData)
         }
+
         let num_objects = self.reader.read_u64::<BigEndian>()?;
         let top_object = self.reader.read_u64::<BigEndian>()?;
         let offset_table_offset = self.reader.read_u64::<BigEndian>()?;
diff --git a/tests/data/binary_zero_offset_size.plist b/tests/data/binary_zero_offset_size.plist
new file mode 100644
index 0000000..83ede66
--- /dev/null
+++ b/tests/data/binary_zero_offset_size.plist
diff --git a/tests/fuzzer.rs b/tests/fuzzer.rs
index f5cd4c2..72be1b8 100644
--- a/tests/fuzzer.rs
+++ b/tests/fuzzer.rs
@@ -27,6 +27,12 @@ fn binary_circular_reference() {
     test_fuzzer_data_err(data);
 }
 
+#[test]
+fn binary_zero_offset_size() {
+    let data = include_bytes!("data/binary_zero_offset_size.plist");
+    test_fuzzer_data_err(data);
+}
+
 // Issue 20 - not found by fuzzing but this is a convenient place to put the test.
 #[test]
 fn issue_20_binary_with_data_in_trailer() {