jplist: Fix OOB read by making sure number of children is even

Credit to OSS-Fuzz
author: Nikias Bassen 2022-02-03 00:37:12 +0100
committer: Nikias Bassen 2022-02-03 00:37:12 +0100
commit: bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0 (patch)
tree: e657eb2fec27459e430d7a80e9d164216f3ee25d /src
parent: de49a34b0b7e7fa9534086ab94af64786b9ecaa3 (diff)
download: libplist-bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0.tar.gz
libplist-bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0.tar.bz2
1 files changed, 6 insertions, 2 deletions
diff --git a/src/jplist.c b/src/jplist.c
index c2d3ae3..7264da2 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -671,12 +671,16 @@ static plist_t parse_object(const char* js, jsmntok_info_t* ti, int* index)
         PLIST_JSON_ERR("%s: token type != JSMN_OBJECT\n", __func__);
         return NULL;
     }
-    plist_t obj = plist_new_dict();
     int num_tokens = ti->tokens[*index].size;
     int num;
     int j = (*index)+1;
+    if (num_tokens % 2 != 0) {
+        PLIST_JSON_ERR("%s: number of children must be even\n", __func__);
+        return NULL;
+    }
+    plist_t obj = plist_new_dict();
     for (num = 0; num < num_tokens; num++) {
-        if (j >= ti->count) {
+        if (j+1 >= ti->count) {
             PLIST_JSON_ERR("%s: token index out of valid range\n", __func__);
             plist_free(obj);
             return NULL;
author	Nikias Bassen	2022-02-03 00:37:12 +0100
committer	Nikias Bassen	2022-02-03 00:37:12 +0100
commit	bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0 (patch)
tree	e657eb2fec27459e430d7a80e9d164216f3ee25d /src
parent	de49a34b0b7e7fa9534086ab94af64786b9ecaa3 (diff)
download	libplist-bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0.tar.gz libplist-bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0.tar.bz2