summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2022-02-03 00:37:12 +0100
committerGravatar Nikias Bassen2022-02-03 00:37:12 +0100
commitbf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0 (patch)
treee657eb2fec27459e430d7a80e9d164216f3ee25d /src
parentde49a34b0b7e7fa9534086ab94af64786b9ecaa3 (diff)
downloadlibplist-bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0.tar.gz
libplist-bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0.tar.bz2
jplist: Fix OOB read by making sure number of children is even
Credit to OSS-Fuzz
Diffstat (limited to 'src')
-rw-r--r--src/jplist.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/src/jplist.c b/src/jplist.c
index c2d3ae3..7264da2 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -671,12 +671,16 @@ static plist_t parse_object(const char* js, jsmntok_info_t* ti, int* index)
PLIST_JSON_ERR("%s: token type != JSMN_OBJECT\n", __func__);
return NULL;
}
- plist_t obj = plist_new_dict();
int num_tokens = ti->tokens[*index].size;
int num;
int j = (*index)+1;
+ if (num_tokens % 2 != 0) {
+ PLIST_JSON_ERR("%s: number of children must be even\n", __func__);
+ return NULL;
+ }
+ plist_t obj = plist_new_dict();
for (num = 0; num < num_tokens; num++) {
- if (j >= ti->count) {
+ if (j+1 >= ti->count) {
PLIST_JSON_ERR("%s: token index out of valid range\n", __func__);
plist_free(obj);
return NULL;