oplist: Fix another OOB read

nikias · nikias · commit 85f5cbd3705b · 2023-01-17T01:26:58.000+01:00
Credit to OSS-Fuzz
diff --git a/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264 b/fuzz/oplist-crashes/clusterfuzz-testcase-minimized-oplist_fuzzer-4716194114699264
@@ -0,0 +1 @@
+(<
diff --git a/src/oplist.c b/src/oplist.c
@@ -715,6 +715,13 @@ static int node_from_openstep(parse_ctx ctx, plist_t *plist)
                 plist_free_data(data);
                 goto err_out;
             }
+            if (ctx->pos >= ctx->end) {
+                byte_array_free(bytes);
+                plist_free_data(data);
+                PLIST_OSTEP_ERR("EOF while parsing data terminator '>' at offset %ld\n", ctx->pos - ctx->start);
+                ctx->err++;
+                goto err_out;
+            }
             if (*ctx->pos != '>') {
                 byte_array_free(bytes);
                 plist_free_data(data);
