-
Notifications
You must be signed in to change notification settings - Fork 305
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in bplist.c:733 #103
Comments
I cannot reproduce it. This check prevents further processing for me:
It is supposed to prevent that the number of objects combined with the offset size will point outside of the plist data. The sample you provided has number of objects = 0x8000000000000003 and offset size = 0xFF. Maybe your compiler reduces the sizes to 32 bit? Strangely enough, even then it would point outside of the plist data... |
@zhunki can you use this patch and paste the output:
|
@nikias the result is as follows ps. 0x8000000000000003*0xff=0x80000000000002FD I'm using gcc, maybe your conpiler is defferent and can handle such case? |
@nikias sure. well done. |
bplist_c_733.txt
The text was updated successfully, but these errors were encountered: