From c18d6b323e8121c041e8b88d2ea6b6e85ca41274 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Tue, 20 Jan 2026 15:15:17 +0100
Subject: plist: Fix heap overflow caused by incorrect PLIST_STRING length
 during copy

Credit to @LkkkLxy. Addresses #277.
---
 src/plist.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

(limited to 'src/plist.c')

diff --git a/src/plist.c b/src/plist.c
index 9a488bb..6197e3d 100644
--- a/src/plist.c
+++ b/src/plist.c
@@ -581,12 +581,27 @@ static plist_t plist_copy_node(node_t node)
     node_type = plist_get_node_type(node);
     switch (node_type) {
         case PLIST_DATA:
-            newdata->buff = (uint8_t *) malloc(data->length);
-            memcpy(newdata->buff, data->buff, data->length);
+            if (data->buff) {
+                newdata->buff = (uint8_t *) malloc(data->length);
+                assert(newdata->buff);
+                memcpy(newdata->buff, data->buff, data->length);
+            } else {
+                newdata->buff = NULL;
+                newdata->length = 0;
+            }
             break;
         case PLIST_KEY:
         case PLIST_STRING:
-            newdata->strval = strdup(data->strval);
+            if (data->strval) {
+                size_t n = strlen(data->strval) + 1;
+                newdata->strval = (char*)malloc(n);
+                assert(newdata->strval);
+                memcpy(newdata->strval, data->strval, n);
+                newdata->length = (uint64_t)n;
+            } else {
+                newdata->strval = NULL;
+                newdata->length = 0;
+            }
             break;
         case PLIST_ARRAY:
             if (data->hashtable) {
-- 
cgit v1.1-32-gdbae