diff options
| author |  Filippo Bigarella | 2016-10-31 02:51:12 +0100 |
|---|---|---|
| committer |  Nikias Bassen | 2016-10-31 02:51:12 +0100 |
| commit | 0be2a22a6504635bb89d4fe4402a9dbe851898d4 (patch) | |
| tree | 159e0f0f407581108204b087db07010c0c268453 | |
| parent | 6b9ab336fe3408a4f073a487f5265a1a2ed101f7 (diff) | |
| download | libplist-0be2a22a6504635bb89d4fe4402a9dbe851898d4.tar.gz libplist-0be2a22a6504635bb89d4fe4402a9dbe851898d4.tar.bz2 | |
xplist: Prevent heap buffer overflow when parsing empty tags
If `ctx->pos - p - 1` is greater than `taglen`, we end up writing outside
the buffer pointed to by `tag`. This commit fixes it by checking the bounds
of the heap buffer before writing.
| -rw-r--r-- | src/xplist.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/xplist.c b/src/xplist.c index 36db07d..9825a28 100644 --- a/src/xplist.c +++ b/src/xplist.c @@ -662,7 +662,9 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist) return; } if (*(ctx->pos-1) == '/') { - tag[ctx->pos - p - 1] = '\0'; + int idx = ctx->pos - p - 1; + if (idx < taglen) + tag[idx] = '\0'; is_empty = 1; } ctx->pos++; |