From 1df5db005ea9959c4e19107997f446dc17095be4 Mon Sep 17 00:00:00 2001 From: Edward Barnard Date: Mon, 6 Mar 2017 21:08:58 +0000 Subject: Limit the number of objects that can be created by the binary parser. Binary plists can contain circular references. --- src/binary/reader.rs | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) (limited to 'src/binary') diff --git a/src/binary/reader.rs b/src/binary/reader.rs index e8a2bf8..770b12f 100644 --- a/src/binary/reader.rs +++ b/src/binary/reader.rs @@ -40,6 +40,11 @@ pub struct EventReader { // The largest single allocation allowed for this Plist. // Equal to the number of bytes in the Plist minus the magic and trailer. max_allocation: usize, + // The maximum number of objects that can be created. Default 10 * object_offsets.len(). + // Binary plists can contain circular references. + max_objects: usize, + // The number of objects created so far. + current_objects: usize, } impl EventReader { @@ -50,7 +55,9 @@ impl EventReader { reader: reader, ref_size: 0, finished: false, - max_allocation: 0 + max_allocation: 0, + max_objects: 0, + current_objects: 0, } } @@ -92,6 +99,8 @@ impl EventReader { try!(self.reader.seek(SeekFrom::Start(offset_table_offset))); self.object_offsets = try!(self.read_ints(num_objects, offset_size)); + self.max_objects = self.object_offsets.len() * 10; + // Seek to top object self.stack.push(StackItem { object_refs: vec![top_object], @@ -164,6 +173,10 @@ impl EventReader { match object_ref { Some(object_ref) => { + if self.current_objects > self.max_objects { + return Err(Error::InvalidData); + } + self.current_objects += 1; try!(self.seek_to_object(object_ref)); } None => { -- cgit v1.2.3