From 6a53de92e2b5029ee293c79d481ff5fd9528f8c3 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Tue, 3 Sep 2019 01:16:03 +0200
Subject: libcnary: [BUGFIX] Set list->end to NULL when removing last and only
 element from list

This prevents a UaF in node_list_add. The issue became visible after removing
the last (and only) item from a PLIST_DICT or PLIST_ARRAY node, and then
adding a new item - the item will not make it into the actual dictionary or
array because the list->end pointer points to invalid memory, effectively
causing memory corruption.
---
 libcnary/node_list.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libcnary/node_list.c b/libcnary/node_list.c
index a45457d..b0dca0a 100644
--- a/libcnary/node_list.c
+++ b/libcnary/node_list.c
@@ -142,6 +142,8 @@ int node_list_remove(node_list_t* list, node_t* node) {
 				// we just removed the first element
 				if (newnode) {
 					newnode->prev = NULL;
+				} else {
+					list->end = NULL;
 				}
 				list->begin = newnode;
 			}
-- 
cgit v1.1-32-gdbae