Limit binary plist stack depth to prevent stack overflows.

author: Edward Barnard 2017-05-05 10:14:15 +0100
committer: Edward Barnard 2017-05-05 10:14:15 +0100
commit: b077f9c93dc59f253435340b353edd0721dea58f (patch)
tree: 6e93ee1d302031c9c8d955f870afbe9d90e03f9d /src
parent: 645aece10f5b25ba015ef5ff240586a2f38aad7e (diff)
download: rust-plist-b077f9c93dc59f253435340b353edd0721dea58f.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/src/binary/reader.rs b/src/binary/reader.rs
index 11d5dfa..cf1b026 100644
--- a/src/binary/reader.rs
+++ b/src/binary/reader.rs
@@ -39,6 +39,8 @@ pub struct EventReader<R> {
     // The largest single allocation allowed for this Plist.
     // Equal to the number of bytes in the Plist minus the magic and trailer.
     max_allocation_bytes: usize,
+    // The maximum number of nested arrays and dicts allowed in the plist.
+    max_stack_depth: usize,
     // The maximum number of objects that can be created. Default 10 * object_offsets.len().
     // Binary plists can contain circular references.
     max_objects: usize,
@@ -55,6 +57,7 @@ impl<R: Read + Seek> EventReader<R> {
             ref_size: 0,
             finished: false,
             max_allocation_bytes: 0,
+            max_stack_depth: 200,
             max_objects: 0,
             current_objects: 0,
         }
@@ -284,6 +287,11 @@ impl<R: Read + Seek> EventReader<R> {
             (_, _) => return Err(Error::InvalidData),
         };
 
+        // Prevent stack overflows when recursively parsing plist.
+        if self.stack.len() > self.max_stack_depth {
+            return Err(Error::InvalidData);
+        }
+
         Ok(result)
     }
 }
author	Edward Barnard	2017-05-05 10:14:15 +0100
committer	Edward Barnard	2017-05-05 10:14:15 +0100
commit	b077f9c93dc59f253435340b353edd0721dea58f (patch)
tree	6e93ee1d302031c9c8d955f870afbe9d90e03f9d /src
parent	645aece10f5b25ba015ef5ff240586a2f38aad7e (diff)
download	rust-plist-b077f9c93dc59f253435340b353edd0721dea58f.tar.bz2