libcnary: [BUGFIX] Set list->end to NULL when removing last and only element from list This prevents a UaF in node_list_add. The issue became visible after removing the last (and only) item from a PLIST_DICT or PLIST_ARRAY node, and then adding a new item - the item will not make it into the actual dictionary or array because the list->end pointer points to invalid memory, effectively causing memory corruption.

commit: 6a53de92e2b5029ee293c79d481ff5fd9528f8c3 [log] [tgz]
author: Nikias Bassen <nikias@gmx.li> Tue Sep 03 01:16:03 2019 +0200
committer: Nikias Bassen <nikias@gmx.li> Tue Sep 03 01:21:05 2019 +0200
tree: c7d1f351abade12f9ff3a27ddd9808afcb6788b0
parent: 025d042c6228ab41832bcb3ebbae070a76033a4c [diff]
diff --git a/libcnary/node_list.c b/libcnary/node_list.c
index a45457d..b0dca0a 100644
--- a/libcnary/node_list.c
+++ b/libcnary/node_list.c

@@ -142,6 +142,8 @@
 				// we just removed the first element
 				if (newnode) {
 					newnode->prev = NULL;
+				} else {
+					list->end = NULL;
 				}
 				list->begin = newnode;
 			}
commit	6a53de92e2b5029ee293c79d481ff5fd9528f8c3	[log] [tgz]
author	Nikias Bassen <nikias@gmx.li>	Tue Sep 03 01:16:03 2019 +0200
committer	Nikias Bassen <nikias@gmx.li>	Tue Sep 03 01:21:05 2019 +0200
tree	c7d1f351abade12f9ff3a27ddd9808afcb6788b0
parent	025d042c6228ab41832bcb3ebbae070a76033a4c [diff]