diff options
| author |  Nikias Bassen | 2019-09-03 01:16:03 +0200 |
|---|---|---|
| committer | Nikias Bassen | 2019-09-03 01:21:05 +0200 |
| commit | 6a53de92e2b5029ee293c79d481ff5fd9528f8c3 (patch) | |
| tree | c7d1f351abade12f9ff3a27ddd9808afcb6788b0 | |
| parent | 025d042c6228ab41832bcb3ebbae070a76033a4c (diff) | |
| download | libplist-6a53de92e2b5029ee293c79d481ff5fd9528f8c3.tar.gz libplist-6a53de92e2b5029ee293c79d481ff5fd9528f8c3.tar.bz2 | |
libcnary: [BUGFIX] Set list->end to NULL when removing last and only element from list
This prevents a UaF in node_list_add. The issue became visible after removing
the last (and only) item from a PLIST_DICT or PLIST_ARRAY node, and then
adding a new item - the item will not make it into the actual dictionary or
array because the list->end pointer points to invalid memory, effectively
causing memory corruption.
| -rw-r--r-- | libcnary/node_list.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/libcnary/node_list.c b/libcnary/node_list.c index a45457d..b0dca0a 100644 --- a/libcnary/node_list.c +++ b/libcnary/node_list.c @@ -142,6 +142,8 @@ int node_list_remove(node_list_t* list, node_t* node) { // we just removed the first element if (newnode) { newnode->prev = NULL; + } else { + list->end = NULL; } list->begin = newnode; } |