diff options
author | Nikias Bassen | 2022-01-28 22:06:02 +0100 |
---|---|---|
committer | Nikias Bassen | 2022-01-28 22:06:02 +0100 |
commit | 6ef1c269792ece2842f65b4b6966ebac3b21a8e3 (patch) | |
tree | 59f9d3ef72c9da0d9abbff3d851a706c1df7d2e1 | |
parent | 7e45a2ee6e407d36374eb6c3d5196e768c246115 (diff) | |
download | libplist-6ef1c269792ece2842f65b4b6966ebac3b21a8e3.tar.gz libplist-6ef1c269792ece2842f65b4b6966ebac3b21a8e3.tar.bz2 |
jplist: Fix use-after-free in unescape_string
Credit to OSS-Fuzz
-rw-r--r-- | src/jplist.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/jplist.c b/src/jplist.c index cb29742..ace4bff 100644 --- a/src/jplist.c +++ b/src/jplist.c @@ -496,13 +496,13 @@ static char* unescape_string(const char* str_val, size_t str_len, size_t *new_le case 'u': { unsigned int val = 0; if (str_len-(i+2) < 4) { - free(strval); PLIST_JSON_ERR("%s: invalid escape sequence '%s' (too short)\n", __func__, strval+i); + free(strval); return NULL; } if (!(isxdigit(strval[i+2]) && isxdigit(strval[i+3]) && isxdigit(strval[i+4]) && isxdigit(strval[i+5])) || sscanf(strval+i+2, "%04x", &val) != 1) { - free(strval); PLIST_JSON_ERR("%s: invalid escape sequence '%.*s'\n", __func__, 6, strval+i); + free(strval); return NULL; } int bytelen = 0; |