diff options
| author | 2019-09-03 01:16:03 +0200 | |
|---|---|---|
| committer | 2019-09-03 01:21:05 +0200 | |
| commit | 6a53de92e2b5029ee293c79d481ff5fd9528f8c3 (patch) | |
| tree | c7d1f351abade12f9ff3a27ddd9808afcb6788b0 | |
| parent | 025d042c6228ab41832bcb3ebbae070a76033a4c (diff) | |
| download | libplist-6a53de92e2b5029ee293c79d481ff5fd9528f8c3.tar.gz libplist-6a53de92e2b5029ee293c79d481ff5fd9528f8c3.tar.bz2 | |
libcnary: [BUGFIX] Set list->end to NULL when removing last and only element from list
This prevents a UaF in node_list_add. The issue became visible after removing
the last (and only) item from a PLIST_DICT or PLIST_ARRAY node, and then
adding a new item - the item will not make it into the actual dictionary or
array because the list->end pointer points to invalid memory, effectively
causing memory corruption.
| -rw-r--r-- | libcnary/node_list.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libcnary/node_list.c b/libcnary/node_list.c index a45457d..b0dca0a 100644 --- a/libcnary/node_list.c +++ b/libcnary/node_list.c | |||
| @@ -142,6 +142,8 @@ int node_list_remove(node_list_t* list, node_t* node) { | |||
| 142 | // we just removed the first element | 142 | // we just removed the first element |
| 143 | if (newnode) { | 143 | if (newnode) { |
| 144 | newnode->prev = NULL; | 144 | newnode->prev = NULL; |
| 145 | } else { | ||
| 146 | list->end = NULL; | ||
| 145 | } | 147 | } |
| 146 | list->begin = newnode; | 148 | list->begin = newnode; |
| 147 | } | 149 | } |
