Fix unsigned integer overflow in binary plist offset-table bounds check (#596)

DTW-Thalion · web-flow · commit 3b13a4f7c105 · 2026-04-15T16:15:43.000+01:00
* Fix unsigned integer overflow in binary plist offset-table bounds check * Source/NSPropertyList.m: Reformulate the offset-table sanity check in GSBinaryPLParser -initWithData:mutability: to avoid unsigned integer overflow in the multiplication. The prior form `table_start + object_count * offset_size > _length` overflows on 32-bit unsigned whenever object_count * offset_size crosses 2^32; with offset_size already bounded to 1..4 by the guard above, an attacker-controlled object_count near 2^30 wraps the product past 2^32 and lets a malformed trailer slip through, after which -offsetForIndex: reads past _bytes. Rewritten as `table_start > _length || object_count > (_length - table_start) / offset_size` which never forms the product and keeps the subtraction from underflowing at the check site, so correctness no longer depends on the ordering of sibling branches. * Tests/base/NSPropertyList/TestInfo: New test group marker. * Tests/base/NSPropertyList/bplist-overflow-bounds.m: New regression test. Four assertions: two positive-control round-trips of a legitimately serialized bplist, plus two crafted trailers with object_count=0x40000000 and 0xffffffff against offset_size=4 that wrap the pre-fix product and would have been accepted. Written in plain main() with conditions inline in PASS(); uses NS_DURING only around the parser call itself because the bplist branch of +propertyListWithData:options:format:error: raises NSException on malformed input rather than populating the error out-parameter. Validated on Ubuntu 24.04 with clang 18 + libobjc2. With the fix applied, all 4 assertions pass. With the source change reverted but the test left in place, the 2 overflow-attack assertions fail (the pre-fix sum check accepts both wrapped trailers) while both positive-control assertions still pass, confirming each assertion actually discriminates the fixed and unfixed builds. * Apply review feedback from PR #596 * Source/NSPropertyList.m: Shorten the block comment above the rewritten bounds check to a note about the unsigned-overflow hazard and a pointer to the regression test. * Tests/base/NSPropertyList/bplist-overflow-bounds.m: Use PASS_EXCEPTION(NSGenericException) instead of hand-rolled NS_DURING/NS_HANDLER around the parser call, and PASS_EQUAL for the positive-control round-trip. PASS already catches stray exceptions, so neither helper function needs a try/catch wrapper. No change to the fix itself. Re-validated on Ubuntu 24.04 + clang 18: 4/4 pass with fix, 2/4 pass without (both overflow attacks fail as designed, both positive controls still pass).
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,26 @@
+2026-04-14 Todd White <todd.white@thalion.global>
+
+	* Source/NSPropertyList.m: Fix unsigned integer overflow in the
+	binary property list offset-table bounds check. The old form
+	`table_start + object_count * offset_size > _length` overflows
+	on 32-bit unsigned for attacker-controlled object_count near
+	2^30 (offset_size is bounded to 1..4 by the preceding guard),
+	wrapping the product past 2^32 so the sum lands below _length
+	even when the offset table runs past the end of the buffer;
+	offsetForIndex: then reads past _bytes. Reformulated as
+	`table_start > _length
+	 || object_count > (_length - table_start) / offset_size`
+	which is overflow-free and self-contained (the leading
+	table_start > _length test guards the subtraction from
+	underflowing, removing the previous implicit dependence on the
+	next-in-chain table_start > _length - 32 branch).
+	* Tests/base/NSPropertyList/bplist-overflow-bounds.m: New
+	regression test that crafts malformed bplist trailers directly
+	and verifies they are rejected, with a positive control that
+	round-trips a legitimately serialized bplist.
+	Analysis and code from Todd White <todd.white@thalion.global>
+	using Claude.
+
 2026-04-14 Richard Frith-Macdonald <rfm@gnu.org>
 
 	* Source/NSJSONSerialization.m: Implementation of nesting limit when
diff --git a/Source/NSPropertyList.m b/Source/NSPropertyList.m
@@ -3085,7 +3085,13 @@ - (id) initWithData: (NSData*)plData
 	  [NSException raise: NSGenericException
 		      format: @"Unknown table size %d", saved];
 	}
-      else if (table_start + object_count * offset_size > _length)
+      /* The obvious form of the bound,
+       *   table_start + object_count * offset_size > _length,
+       * overflows on unsigned multiplication; take care when editing.
+       * See Tests/base/NSPropertyList/bplist-overflow-bounds.m.
+       */
+      else if (table_start > _length
+	|| object_count > (_length - table_start) / offset_size)
         {
 	  DESTROY(self);	// Bad format
 	  [NSException raise: NSGenericException
diff --git a/Tests/base/NSPropertyList/TestInfo b/Tests/base/NSPropertyList/TestInfo
diff --git a/Tests/base/NSPropertyList/bplist-overflow-bounds.m b/Tests/base/NSPropertyList/bplist-overflow-bounds.m
@@ -0,0 +1,140 @@
+/*
+ * bplist-overflow-bounds.m - regression test for the binary property
+ * list offset-table bounds check.
+ *
+ * GSBinaryPLParser must confirm that the offset table does not run
+ * past the end of the supplied data before it calls -offsetForIndex:.
+ * The obvious bound,
+ *
+ *     table_start + object_count * offset_size > _length
+ *
+ * wraps on 32-bit unsigned for any attacker-controlled object_count
+ * whose product with offset_size crosses 2^32.  Because offset_size
+ * is already bounded to 1..4 by an earlier guard, object_counts near
+ * or above 2^30 are enough to wrap the sum back below _length, so a
+ * crafted trailer that declares billions of entries over a handful
+ * of bytes slips through the check and -offsetForIndex: then reads
+ * past the end of the buffer.  The rewritten bound divides the
+ * non-negative difference (_length - table_start) by offset_size and
+ * so never forms the overflowing product.
+ *
+ * These trailers cannot be produced by +dataWithPropertyList:; the
+ * test assembles them directly as raw bytes.
+ */
+
+#import <Foundation/Foundation.h>
+#import "ObjectTesting.h"
+
+/* Build a raw binary-plist buffer with a caller-specified trailer.
+ * Byte 8 holds a single bplist-encoded YES so that the root index
+ * points at a nominal object; the rest of the body is zero fill.
+ * GSBinaryPLParser reads object_count / root_index / table_start
+ * from the lower four bytes of each 8-byte trailer field, so the
+ * helper only threads 32-bit values through.
+ */
+static NSData *
+craftBplist(uint32_t object_count,
+            uint8_t  offset_size,
+            uint8_t  index_size,
+            uint32_t root_index,
+            uint32_t table_start,
+            unsigned total_length)
+{
+  NSMutableData	*d;
+  unsigned char	*b;
+  unsigned char	postfix[32];
+
+  if (total_length < 33)
+    {
+      total_length = 33;
+    }
+  d = [NSMutableData dataWithLength: total_length];
+  b = (unsigned char *)[d mutableBytes];
+
+  memcpy(b, "bplist00", 8);
+  b[8] = 0x09;
+
+  memset(postfix, 0, sizeof(postfix));
+  postfix[6]  = offset_size;
+  postfix[7]  = index_size;
+  postfix[12] = (unsigned char)((object_count >> 24) & 0xff);
+  postfix[13] = (unsigned char)((object_count >> 16) & 0xff);
+  postfix[14] = (unsigned char)((object_count >>  8) & 0xff);
+  postfix[15] = (unsigned char)( object_count        & 0xff);
+  postfix[20] = (unsigned char)((root_index >> 24) & 0xff);
+  postfix[21] = (unsigned char)((root_index >> 16) & 0xff);
+  postfix[22] = (unsigned char)((root_index >>  8) & 0xff);
+  postfix[23] = (unsigned char)( root_index        & 0xff);
+  postfix[28] = (unsigned char)((table_start >> 24) & 0xff);
+  postfix[29] = (unsigned char)((table_start >> 16) & 0xff);
+  postfix[30] = (unsigned char)((table_start >>  8) & 0xff);
+  postfix[31] = (unsigned char)( table_start        & 0xff);
+
+  memcpy(b + total_length - 32, postfix, 32);
+  return d;
+}
+
+int
+main(int argc, char *argv[])
+{
+  START_SET("NSPropertyList binary plist offset-table bounds")
+  NSDictionary	*valid;
+  NSData	*serialized;
+  NSData	*crafted;
+
+  /* Positive control: a legitimately serialized bplist must still
+   * round-trip.  Guards against a fix that tightens the check too
+   * far and starts rejecting valid input.
+   */
+  valid = [NSDictionary dictionaryWithObjectsAndKeys:
+    @"value", @"key", nil];
+  serialized = [NSPropertyListSerialization
+                 dataWithPropertyList: valid
+                               format: NSPropertyListBinaryFormat_v1_0
+                              options: 0
+                                error: NULL];
+  PASS(serialized != nil, "valid dictionary serialized as bplist")
+  PASS_EQUAL([NSPropertyListSerialization
+               propertyListWithData: serialized
+                            options: NSPropertyListImmutable
+                             format: NULL
+                               error: NULL],
+    valid,
+    "valid bplist round-trips through the parser")
+
+  /* Attack 1: object_count = 0x40000000, offset_size = 4.  On 32-bit
+   * unsigned the product wraps to zero, which would defeat the
+   * pre-fix naive sum check.  The buffer is intentionally short so
+   * that even a one-entry table walk is out of bounds.
+   */
+  crafted = craftBplist(0x40000000u, 4, 1,
+                        /*root_index*/    0,
+                        /*table_start*/   9,
+                        /*total_length*/ 64);
+  PASS_EXCEPTION(([NSPropertyListSerialization
+                    propertyListWithData: crafted
+                                 options: NSPropertyListImmutable
+                                  format: NULL
+                                   error: NULL]),
+    NSGenericException,
+    "object_count=0x40000000 offset_size=4 (product wraps to 0) rejected")
+
+  /* Attack 2: the maximum 32-bit object_count with the same
+   * offset_size.  The product wraps to 4 * 2^32 - 4, a small value
+   * that again defeats the naive sum check.
+   */
+  crafted = craftBplist(0xffffffffu, 4, 1,
+                        /*root_index*/    0,
+                        /*table_start*/   9,
+                        /*total_length*/ 64);
+  PASS_EXCEPTION(([NSPropertyListSerialization
+                    propertyListWithData: crafted
+                                 options: NSPropertyListImmutable
+                                  format: NULL
+                                   error: NULL]),
+    NSGenericException,
+    "object_count=0xffffffff offset_size=4 rejected")
+
+  END_SET("NSPropertyList binary plist offset-table bounds")
+  return 0;
+}
