memory allocation error

[zhunki]

there is a extra large memery allocation error which can be detected by addresssanitizer.

==31613== ERROR: AddressSanitizer failed to allocate 0x80003000 (-2147471360) bytes of LargeMmapAllocator: Cannot allocate memory
    #0 0xb61a74b2 (/usr/lib/i386-linux-gnu/libasan.so.0+0x124b2)
    #1 0xb61b00dc (/usr/lib/i386-linux-gnu/libasan.so.0+0x1b0dc)
    #2 0xb61b3093 (/usr/lib/i386-linux-gnu/libasan.so.0+0x1e093)
    #3 0xb619d2ed (/usr/lib/i386-linux-gnu/libasan.so.0+0x82ed)
    #4 0xb61ab88b (/usr/lib/i386-linux-gnu/libasan.so.0+0x1688b)
    #5 0x806b036 in plist_from_bin /home/b/asan/libplist/src/bplist.c:762
    #6 0x804a1c4 in main /home/b/asan/libplist/tools/plistutil.c:139
    #7 0xb5fe3a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #8 0x804ad45 in _start (/home/b/asan/libplist/tools/plistutil+0x804ad45)

the source code around here are: bplist.used_indexes = (uint32_t)malloc(sizeof(uint32_t) num_objects); the num_objects equals to a very large number.

poc.txt

[nikias]

This is a good one, it bypasses this check for the size of the offset table:

if (offset_table + num_objects * offset_size >= plist_bin + length)

because offset_size is 0. I will add a check for the sanity of the offset_size. If you want your real name to appear in the log messages, you can specify it here, with your github email address, or submit a pull request.

[zhunki]

sure. my name is Wang Junjie.

[nikias]

github email address?

[zhunki]

zhunkibatu@gmail.com

[nikias]

Should be fixed with commit 26061aac4ec75e7a4469a9aab9a424716223e5c4

[nikias]

This was assigned CVE-2017-5835. http://seclists.org/oss-sec/2017/q1/279

[epozuelo]

Any plans for a new release? 1.12 is from 2014 and there have been many security fixes since then