summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGravatar Nikias Bassen2026-01-20 15:15:17 +0100
committerGravatar Nikias Bassen2026-01-20 15:15:17 +0100
commitc18d6b323e8121c041e8b88d2ea6b6e85ca41274 (patch)
tree2e4007b37eaa8ad6a7a7497c8d36b4c4bd67d077
parentcff6a14ba4d0964c4fb4843aad84db12b4df2854 (diff)
downloadlibplist-c18d6b323e8121c041e8b88d2ea6b6e85ca41274.tar.gz
libplist-c18d6b323e8121c041e8b88d2ea6b6e85ca41274.tar.bz2
plist: Fix heap overflow caused by incorrect PLIST_STRING length during copyHEADmaster
Credit to @LkkkLxy. Addresses #277.
Diffstat
-rw-r--r--src/plist.c21
1 files changed, 18 insertions, 3 deletions
diff --git a/src/plist.c b/src/plist.c
index 9a488bb..6197e3d 100644
--- a/src/plist.c
+++ b/src/plist.c
@@ -581,12 +581,27 @@ static plist_t plist_copy_node(node_t node)
node_type = plist_get_node_type(node);
switch (node_type) {
case PLIST_DATA:
- newdata->buff = (uint8_t *) malloc(data->length);
- memcpy(newdata->buff, data->buff, data->length);
+ if (data->buff) {
+ newdata->buff = (uint8_t *) malloc(data->length);
+ assert(newdata->buff);
+ memcpy(newdata->buff, data->buff, data->length);
+ } else {
+ newdata->buff = NULL;
+ newdata->length = 0;
+ }
break;
case PLIST_KEY:
case PLIST_STRING:
- newdata->strval = strdup(data->strval);
+ if (data->strval) {
+ size_t n = strlen(data->strval) + 1;
+ newdata->strval = (char*)malloc(n);
+ assert(newdata->strval);
+ memcpy(newdata->strval, data->strval, n);
+ newdata->length = (uint64_t)n;
+ } else {
+ newdata->strval = NULL;
+ newdata->length = 0;
+ }
break;
case PLIST_ARRAY:
if (data->hashtable) {
© 2009-2020 sukimashita.com - Generated by cgit - Icons from Tango - Uses Google Analytics