From 0be2a22a6504635bb89d4fe4402a9dbe851898d4 Mon Sep 17 00:00:00 2001
From: Filippo Bigarella
Date: Mon, 31 Oct 2016 02:51:12 +0100
Subject: xplist: Prevent heap buffer overflow when parsing empty tags

If `ctx->pos - p - 1` is greater than `taglen`, we end up writing outside
the buffer pointed to by `tag`. This commit fixes it by checking the bounds
of the heap buffer before writing.
---
 src/xplist.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/xplist.c b/src/xplist.c
index 36db07d..9825a28 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -662,7 +662,9 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist)
                 return;
             }
             if (*(ctx->pos-1) == '/') {
-                tag[ctx->pos - p - 1] = '\0';
+                int idx = ctx->pos - p - 1;
+                if (idx < taglen)
+                    tag[idx] = '\0';
                 is_empty = 1;
             }
             ctx->pos++;
-- 
cgit v1.1-32-gdbae