From b077f9c93dc59f253435340b353edd0721dea58f Mon Sep 17 00:00:00 2001
From: Edward Barnard
Date: Fri, 5 May 2017 10:14:15 +0100
Subject: Limit binary plist stack depth to prevent stack overflows.

---
 src/binary/reader.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'src/binary')

diff --git a/src/binary/reader.rs b/src/binary/reader.rs
index 11d5dfa..cf1b026 100644
--- a/src/binary/reader.rs
+++ b/src/binary/reader.rs
@@ -39,6 +39,8 @@ pub struct EventReader<R> {
     // The largest single allocation allowed for this Plist.
     // Equal to the number of bytes in the Plist minus the magic and trailer.
     max_allocation_bytes: usize,
+    // The maximum number of nested arrays and dicts allowed in the plist.
+    max_stack_depth: usize,
     // The maximum number of objects that can be created. Default 10 * object_offsets.len().
     // Binary plists can contain circular references.
     max_objects: usize,
@@ -55,6 +57,7 @@ impl<R: Read + Seek> EventReader<R> {
             ref_size: 0,
             finished: false,
             max_allocation_bytes: 0,
+            max_stack_depth: 200,
             max_objects: 0,
             current_objects: 0,
         }
@@ -284,6 +287,11 @@ impl<R: Read + Seek> EventReader<R> {
             (_, _) => return Err(Error::InvalidData),
         };
 
+        // Prevent stack overflows when recursively parsing plist.
+        if self.stack.len() > self.max_stack_depth {
+            return Err(Error::InvalidData);
+        }
+
         Ok(result)
     }
 }
-- 
cgit v1.2.3