xplist: Fix possible integer overflow

Thanks to @ylwango613 for reporting
author: Nikias Bassen 2025-10-29 16:43:35 +0100
committer: Nikias Bassen 2025-10-29 16:43:35 +0100
commit: 613a76fb86294aa9ebff172932978c67b4d3cc3d (patch)
tree: 405c6833399282635606d59de5facac71d378884 /src/xplist.c
parent: 2bcc19589d9f34bb25f04bd0d4b755bbe06c9271 (diff)
download: libplist-613a76fb86294aa9ebff172932978c67b4d3cc3d.tar.gz
libplist-613a76fb86294aa9ebff172932978c67b4d3cc3d.tar.bz2
1 files changed, 2 insertions, 2 deletions
diff --git a/src/xplist.c b/src/xplist.c
index 66e1dba..7e39ea4 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -1066,7 +1066,7 @@ static plist_err_t node_from_xml(parse_ctx ctx, plist_t *plist)
                ctx->err++;
                goto err_out;
            }
-            int taglen = ctx->pos - p;
+            size_t taglen = ctx->pos - p;
            tag = (char*)malloc(taglen + 1);
            strncpy(tag, p, taglen);
            tag[taglen] = '\0';
@@ -1084,7 +1084,7 @@ static plist_err_t node_from_xml(parse_ctx ctx, plist_t *plist)
                goto err_out;
            }
            if (*(ctx->pos-1) == '/') {
-                int idx = ctx->pos - p - 1;
+                size_t idx = ctx->pos - p - 1;
                if (idx < taglen)
                    tag[idx] = '\0';
                is_empty = 1;
author	Nikias Bassen	2025-10-29 16:43:35 +0100
committer	Nikias Bassen	2025-10-29 16:43:35 +0100
commit	613a76fb86294aa9ebff172932978c67b4d3cc3d (patch)
tree	405c6833399282635606d59de5facac71d378884 /src/xplist.c
parent	2bcc19589d9f34bb25f04bd0d4b755bbe06c9271 (diff)
download	libplist-613a76fb86294aa9ebff172932978c67b4d3cc3d.tar.gz libplist-613a76fb86294aa9ebff172932978c67b4d3cc3d.tar.bz2

diff --git a/src/xplist.c b/src/xplist.c index 66e1dba..7e39ea4 100644 --- a/src/xplist.c +++ b/src/xplist.c
@@ -1066,7 +1066,7 @@ static plist_err_t node_from_xml(parse_ctx ctx, plist_t *plist)
1066	ctx->err++;	1066	ctx->err++;
1067	goto err_out;	1067	goto err_out;
1068	}	1068	}
1069	int taglen = ctx->pos - p;	1069	size_t taglen = ctx->pos - p;
1070	tag = (char*)malloc(taglen + 1);	1070	tag = (char*)malloc(taglen + 1);
1071	strncpy(tag, p, taglen);	1071	strncpy(tag, p, taglen);
1072	tag[taglen] = '\0';	1072	tag[taglen] = '\0';
@@ -1084,7 +1084,7 @@ static plist_err_t node_from_xml(parse_ctx ctx, plist_t *plist)
1084	goto err_out;	1084	goto err_out;
1085	}	1085	}
1086	if (*(ctx->pos-1) == '/') {	1086	if (*(ctx->pos-1) == '/') {
1087	int idx = ctx->pos - p - 1;	1087	size_t idx = ctx->pos - p - 1;
1088	if (idx < taglen)	1088	if (idx < taglen)
1089	tag[idx] = '\0';	1089	tag[idx] = '\0';
1090	is_empty = 1;	1090	is_empty = 1;