summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2017-01-16 02:00:27 +0100
committerGravatar Nikias Bassen2017-01-16 02:00:27 +0100
commit7a28a14cf6ed547dfd2e52a4db17f47242bfdef9 (patch)
tree7c4801860e30b90dbd047ffe082579744c104a3e
parent3a55ddd3c4c11ce75a86afbefd085d8d397ff957 (diff)
downloadlibplist-7a28a14cf6ed547dfd2e52a4db17f47242bfdef9.tar.gz
libplist-7a28a14cf6ed547dfd2e52a4db17f47242bfdef9.tar.bz2
bplist: Disallow key nodes with non-string node types
As reported in #86, the binary plist parser would force the type of the key node to be of type PLIST_KEY while the node might be of a different i.e. non-string type. A following plist_free() might then call free() on an invalid pointer; e.g. if the node is of type integer, its value would be considered a pointer, and free() would cause an error. We prevent this issue by disallowing non-string key nodes during parsing.
-rw-r--r--src/bplist.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c
index 0122e08..73fa4e0 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -441,6 +441,13 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u
plist_free(node);
return NULL;
}
+
+ if (plist_get_data(key)->type != PLIST_STRING) {
+ fprintf(stderr, "ERROR: Malformed binary plist dict, invalid node type for key!\n");
+ plist_free(node);
+ return NULL;
+ }
+
/* enforce key type */
plist_get_data(key)->type = PLIST_KEY;
if (!plist_get_data(key)->strval) {