From 17b8e01bdfbdb38a2aec5cce0554b72bd37ee6ce Mon Sep 17 00:00:00 2001
From: Filippo Bigarella
Date: Mon, 31 Oct 2016 02:52:01 +0100
Subject: xplist: Prevent UaF when parsing structured nodes fails

In case parsing inside `node_from_xml` called from line 842 fails, `data`
gets freed by the call to `plist_free` at line 899, since `subnode` is
actually created by making it point to `data` at line 684. This commit
prevents this situation by bailing out whenever parsing in a deeper level
of structured nodes fails.
---
 src/xplist.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/xplist.c b/src/xplist.c
index 9825a28..e5ba214 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -840,6 +840,11 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist)
                     if (!is_empty) {
                         /* only if not empty */
                         node_from_xml(ctx, &subnode);
+                        if (ctx->err) {
+                            /* make sure to bail out if parsing failed */
+                            free(keyname);
+                            return;
+                        }
                         if ((data->type == PLIST_DICT) && (plist_dict_get_size(subnode) == 1)) {
                             /* convert XML CF$UID dictionaries to PLIST_UID nodes */
                             plist_t uid = plist_dict_get_item(subnode, "CF$UID");
-- 
cgit v1.1-32-gdbae