From bf44ba84846ba3fcc6b7ad24e820086fa4c2d8a0 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Thu, 3 Feb 2022 00:37:12 +0100
Subject: jplist: Fix OOB read by making sure number of children is even

Credit to OSS-Fuzz
---
 src/jplist.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/jplist.c b/src/jplist.c
index c2d3ae3..7264da2 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -671,12 +671,16 @@ static plist_t parse_object(const char* js, jsmntok_info_t* ti, int* index)
         PLIST_JSON_ERR("%s: token type != JSMN_OBJECT\n", __func__);
         return NULL;
     }
-    plist_t obj = plist_new_dict();
     int num_tokens = ti->tokens[*index].size;
     int num;
     int j = (*index)+1;
+    if (num_tokens % 2 != 0) {
+        PLIST_JSON_ERR("%s: number of children must be even\n", __func__);
+        return NULL;
+    }
+    plist_t obj = plist_new_dict();
     for (num = 0; num < num_tokens; num++) {
-        if (j >= ti->count) {
+        if (j+1 >= ti->count) {
             PLIST_JSON_ERR("%s: token index out of valid range\n", __func__);
             plist_free(obj);
             return NULL;
-- 
cgit v1.1-32-gdbae