From 19b79a93f5e45df7901091e9af6f2a6a6189c65b Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Wed, 21 Dec 2016 22:56:13 +0100
Subject: xplist: Fix UaF in code checking for closing tag

---
 src/xplist.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/xplist.c b/src/xplist.c
index ec75226..68fd3ab 100644
--- a/src/xplist.c
+++ b/src/xplist.c
@@ -1135,7 +1135,6 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist, uint32_t depth)
                 free(keyname);
                 return;
             }
-            free(tag);
             if (subnode && !closing_tag) {
                 /* parse sub nodes for structured types */
                 if (data->type == PLIST_DICT || data->type == PLIST_ARRAY) {
@@ -1144,6 +1143,7 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist, uint32_t depth)
                         node_from_xml(ctx, &subnode, depth+1);
                         if (ctx->err) {
                             /* make sure to bail out if parsing failed */
+                            free(tag);
                             free(keyname);
                             return;
                         }
@@ -1212,8 +1212,8 @@ static void node_from_xml(parse_ctx ctx, plist_t *plist, uint32_t depth)
                     ctx->err++;
                     break;
                 }
-                break;
             }
+            free(tag);
             free(keyname);
             keyname = NULL;
             plist_free(subnode);
-- 
cgit v1.1-32-gdbae