jplist: Fix NULL pointer dereference by handling errors from unescape_string correctly

Credit to OSS-Fuzz
author: Nikias Bassen 2022-01-28 22:11:00 +0100
committer: Nikias Bassen 2022-01-28 22:12:09 +0100
commit: 088cdab964e6cd88b7f15f36eb3e08d38189cd21 (patch)
tree: c34ccf3bbd7db715dabf76adccb8decda5f502a4 /src
parent: 6ef1c269792ece2842f65b4b6966ebac3b21a8e3 (diff)
download: libplist-088cdab964e6cd88b7f15f36eb3e08d38189cd21.tar.gz
libplist-088cdab964e6cd88b7f15f36eb3e08d38189cd21.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/src/jplist.c b/src/jplist.c
index ace4bff..c149d20 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -549,6 +549,9 @@ static plist_t parse_string(const char* js, jsmntok_t* tokens, int* index)
 
     size_t str_len = 0; ;
     char* strval = unescape_string(js + tokens[*index].start, tokens[*index].end - tokens[*index].start, &str_len);
+    if (!strval) {
+        return NULL;
+    }
     plist_t node;
 
     plist_data_t data = plist_new_plist_data();
@@ -612,6 +615,9 @@ static plist_t parse_object(const char* js, jsmntok_t* tokens, int* index)
     for (num = 0; num < num_tokens; num++) {
         if (tokens[j].type == JSMN_STRING) {
             char* key = unescape_string(js + tokens[j].start, tokens[j].end - tokens[j].start, NULL);
+            if (!key) {
+                return NULL;
+            }
             plist_t val = NULL;
             j++;
             num++;
author	Nikias Bassen	2022-01-28 22:11:00 +0100
committer	Nikias Bassen	2022-01-28 22:12:09 +0100
commit	088cdab964e6cd88b7f15f36eb3e08d38189cd21 (patch)
tree	c34ccf3bbd7db715dabf76adccb8decda5f502a4 /src
parent	6ef1c269792ece2842f65b4b6966ebac3b21a8e3 (diff)
download	libplist-088cdab964e6cd88b7f15f36eb3e08d38189cd21.tar.gz libplist-088cdab964e6cd88b7f15f36eb3e08d38189cd21.tar.bz2