diff options
| author |  Filippo Bigarella | 2016-10-31 02:52:01 +0100 |
|---|---|---|
| committer |  Nikias Bassen | 2016-10-31 02:52:01 +0100 |
| commit | 17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce (patch) | |
| tree | 77b8116f67c80cd124053f1f39461e834de4bc29 /src | |
| parent | 0be2a22a6504635bb89d4fe4402a9dbe851898d4 (diff) | |
| download | libplist-17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce.tar.gz libplist-17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce.tar.bz2 | |
xplist: Prevent UaF when parsing structured nodes failstime64
In case parsing inside `node_from_xml` called from line 842 fails, `data`
gets freed by the call to `plist_free` at line 899, since `subnode` is
actually created by making it point to `data` at line 684. This commit
prevents this situation by bailing out whenever parsing in a deeper level
of structured nodes fails.
Diffstat (limited to 'src')
| -rw-r--r-- | src/xplist.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/xplist.c b/src/xplist.c index 9825a28..e5ba214 100644 --- a/src/xplist.c +++ b/src/xplist.c @@ -840,6 +840,11 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist) if (!is_empty) { /* only if not empty */ node_from_xml(ctx, &subnode); + if (ctx->err) { + /* make sure to bail out if parsing failed */ + free(keyname); + return; + } if ((data->type == PLIST_DICT) && (plist_dict_get_size(subnode) == 1)) { /* convert XML CF$UID dictionaries to PLIST_UID nodes */ plist_t uid = plist_dict_get_item(subnode, "CF$UID"); |