New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in parse_dict_node #89
Comments
|
@zhunki Can you re-run your test with the latest code on git master? I fixed a couple of things so this issue might not happen anymore. Thanks. |
|
As for me, the problem still can be reproduced under ASAN, but disappears withoutht ASAN. |
|
it must occur before the infinite recursion because it says "Recursion detected in binary plist. Aborting." without ASAN. |
Can you please tell exactly which commits fixes the issue so we can backport the patch for distro packages? |
|
I haven't fully confirmed this issue fixed yet. The commit 6a44dfb was the latest before replying to the initial report. |
|
Ok I checked and another issue was still there. Fixed with commit 4765d9a. |
|
Just to complete the information, the other issue was in parse_array_node where the calculation of the items in an array would read out of bounds of the plist when the ref_size is too large. I had to modify the plist for the test to work properly, otherwise it would fail to parse before it reaches the affected location in the code. Base64 sample of poc17.bplist: |
|
The original issue was assigned CVE-2017-5834. |
poc17.txt
The text was updated successfully, but these errors were encountered: