Limit binary plist stack depth to prevent stack overflows.

3 files changed, 14 insertions, 0 deletions

diff --git a/src/binary/reader.rs b/src/binary/reader.rs
index 11d5dfa..cf1b026 100644
--- a/src/binary/reader.rs
+++ b/src/binary/reader.rs
@@ -39,6 +39,8 @@ pub struct EventReader<R> {
     // The largest single allocation allowed for this Plist.
     // Equal to the number of bytes in the Plist minus the magic and trailer.
     max_allocation_bytes: usize,
+    // The maximum number of nested arrays and dicts allowed in the plist.
+    max_stack_depth: usize,
     // The maximum number of objects that can be created. Default 10 * object_offsets.len().
     // Binary plists can contain circular references.
     max_objects: usize,
@@ -55,6 +57,7 @@ impl<R: Read + Seek> EventReader<R> {
             ref_size: 0,
             finished: false,
             max_allocation_bytes: 0,
+            max_stack_depth: 200,
             max_objects: 0,
             current_objects: 0,
         }
@@ -284,6 +287,11 @@ impl<R: Read + Seek> EventReader<R> {
             (_, _) => return Err(Error::InvalidData),
         };
 
+        // Prevent stack overflows when recursively parsing plist.
+        if self.stack.len() > self.max_stack_depth {
+            return Err(Error::InvalidData);
+        }
+
         Ok(result)
     }
 }
diff --git a/tests/data/binary_circular_array.plist b/tests/data/binary_circular_array.plist
new file mode 100644
index 0000000..57d4575
--- /dev/null
+++ b/tests/data/binary_circular_array.plist
diff --git a/tests/fuzzer.rs b/tests/fuzzer.rs
index 100e569..44d4297 100644
--- a/tests/fuzzer.rs
+++ b/tests/fuzzer.rs
@@ -39,6 +39,12 @@ fn binary_nan_date() {
     test_fuzzer_data_err(data);
 }
 
+#[test]
+fn binary_circular_array() {
+    let data = include_bytes!("data/binary_circular_array.plist");
+    test_fuzzer_data_err(data);
+}
+
 // Issue 20 - not found by fuzzing but this is a convenient place to put the test.
 #[test]
 fn issue_20_binary_with_data_in_trailer() {