diff options
| author |  Nikias Bassen | 2017-01-16 02:00:27 +0100 |
|---|---|---|
| committer | Nikias Bassen | 2017-01-16 02:00:27 +0100 |
| commit | 7a28a14cf6ed547dfd2e52a4db17f47242bfdef9 (patch) | |
| tree | 7c4801860e30b90dbd047ffe082579744c104a3e | |
| parent | 3a55ddd3c4c11ce75a86afbefd085d8d397ff957 (diff) | |
| download | libplist-7a28a14cf6ed547dfd2e52a4db17f47242bfdef9.tar.gz libplist-7a28a14cf6ed547dfd2e52a4db17f47242bfdef9.tar.bz2 | |
bplist: Disallow key nodes with non-string node types
As reported in #86, the binary plist parser would force the type of the
key node to be of type PLIST_KEY while the node might be of a different
i.e. non-string type. A following plist_free() might then call free() on
an invalid pointer; e.g. if the node is of type integer, its value would
be considered a pointer, and free() would cause an error.
We prevent this issue by disallowing non-string key nodes during parsing.
| -rw-r--r-- | src/bplist.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/bplist.c b/src/bplist.c index 0122e08..73fa4e0 100644 --- a/src/bplist.c +++ b/src/bplist.c @@ -441,6 +441,13 @@ static plist_t parse_dict_node(struct bplist_data *bplist, const char** bnode, u plist_free(node); return NULL; } + + if (plist_get_data(key)->type != PLIST_STRING) { + fprintf(stderr, "ERROR: Malformed binary plist dict, invalid node type for key!\n"); + plist_free(node); + return NULL; + } + /* enforce key type */ plist_get_data(key)->type = PLIST_KEY; if (!plist_get_data(key)->strval) { |