bplist: Fix possible crash in plist_from_bin() caused by access to already freed memory

Given a specifically ordered binary plist the function plist_from_bin() would
free BPLIST_DICT or BPLIST_ARRAY raw node data that is still required for
parsing of following nodes. This commit addresses this issues by moving the
memory free to the end of the parsing process.

1 files changed, 5 insertions, 3 deletions

diff --git a/src/bplist.c b/src/bplist.c
index 40b453b..cbe9481 100644
--- a/src/bplist.c
+++ b/src/bplist.c
@@ -720,8 +720,6 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
                     node_attach(nodeslist[i], n);
                 }
             }
-
-            free(data->buff);
             break;
 
         case PLIST_ARRAY:
@@ -738,7 +736,6 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
                         node_attach(nodeslist[i], node_copy_deep(nodeslist[index1], copy_plist_data));
                 }
             }
-            free(data->buff);
             break;
         default:
             break;
@@ -749,6 +746,11 @@ PLIST_API void plist_from_bin(const char *plist_bin, uint32_t length, plist_t *
 
     // free unreferenced nodes that would otherwise leak memory
     for (i = 0; i < num_objects; i++) {
+        plist_data_t data = plist_get_data(nodeslist[i]);
+        if ((data->type == PLIST_DICT) || (data->type == PLIST_ARRAY)) {
+            free(data->buff);
+            data->buff = NULL;
+        }
         if (i == root_object) continue;
         node_t* node = (node_t*)nodeslist[i];
         if (node && NODE_IS_ROOT(node)) {