summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Filippo Bigarella2016-10-31 02:52:01 +0100
committerGravatar Nikias Bassen2016-10-31 02:52:01 +0100
commit17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce (patch)
tree77b8116f67c80cd124053f1f39461e834de4bc29
parent0be2a22a6504635bb89d4fe4402a9dbe851898d4 (diff)
downloadlibplist-17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce.tar.gz
libplist-17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce.tar.bz2
xplist: Prevent UaF when parsing structured nodes failstime64
In case parsing inside `node_from_xml` called from line 842 fails, `data` gets freed by the call to `plist_free` at line 899, since `subnode` is actually created by making it point to `data` at line 684. This commit prevents this situation by bailing out whenever parsing in a deeper level of structured nodes fails.
-rw-r--r--src/xplist.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/xplist.c b/src/xplist.c
index 9825a28..e5ba214 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -840,6 +840,11 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist)
if (!is_empty) {
/* only if not empty */
node_from_xml(ctx, &subnode);
+ if (ctx->err) {
+ /* make sure to bail out if parsing failed */
+ free(keyname);
+ return;
+ }
if ((data->type == PLIST_DICT) && (plist_dict_get_size(subnode) == 1)) {
/* convert XML CF$UID dictionaries to PLIST_UID nodes */
plist_t uid = plist_dict_get_item(subnode, "CF$UID");