summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2022-01-28 22:06:02 +0100
committerGravatar Nikias Bassen2022-01-28 22:06:02 +0100
commit6ef1c269792ece2842f65b4b6966ebac3b21a8e3 (patch)
tree59f9d3ef72c9da0d9abbff3d851a706c1df7d2e1
parent7e45a2ee6e407d36374eb6c3d5196e768c246115 (diff)
downloadlibplist-6ef1c269792ece2842f65b4b6966ebac3b21a8e3.tar.gz
libplist-6ef1c269792ece2842f65b4b6966ebac3b21a8e3.tar.bz2
jplist: Fix use-after-free in unescape_string
Credit to OSS-Fuzz
-rw-r--r--src/jplist.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/jplist.c b/src/jplist.c
index cb29742..ace4bff 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -496,13 +496,13 @@ static char* unescape_string(const char* str_val, size_t str_len, size_t *new_le
case 'u': {
unsigned int val = 0;
if (str_len-(i+2) < 4) {
- free(strval);
PLIST_JSON_ERR("%s: invalid escape sequence '%s' (too short)\n", __func__, strval+i);
+ free(strval);
return NULL;
}
if (!(isxdigit(strval[i+2]) && isxdigit(strval[i+3]) && isxdigit(strval[i+4]) && isxdigit(strval[i+5])) || sscanf(strval+i+2, "%04x", &val) != 1) {
- free(strval);
PLIST_JSON_ERR("%s: invalid escape sequence '%.*s'\n", __func__, 6, strval+i);
+ free(strval);
return NULL;
}
int bytelen = 0;