Merge upstream changes #1

Open

suprstarrd wants to merge 118 commits from mirror/libplist:master into master

pull from: mirror/libplist:master

merge into: SideStore:master

SideStore:master

Conversation 0 Commits 118 Files changed 75 +8378 -2041

suprstarrd commented 2026-04-25 01:53:56 +00:00

Owner

Copy link

No description provided.

suprstarrd added 118 commits 2026-04-25 01:53:56 +00:00

Allow building without Python 73b4b2d2e8

Fix Cython dump method d1d2d36791

Fix dictionary key deletion in Cython 960da293e9

[github-actions] Remove unneeded Python 2 path for macOS build f21f2e3142

Updated README with updated Linux installation steps c46afc87ad

Prevent OOB access in plist_from_memory ... 8487d23fd2

Credit to OSS-Fuzz

configure: Use string for tm_zone assignment ... b3cf5bec39

This matches what the actual sources do.  Clang 16 and GCC 14
no longer support converting ints to pointers implicitly, so the
configure probe always fails with these compilers.

Fix PLIST_API definitions 3daee6097c

Add a libplist_version() function to the interface 082b69db5d

Updated README 122263b931

Updated README 44607736ee

Updated README 3ca4f1427e

docs: Use README.md to generate mainpage with doxygen ... 86c3ef2de8

Actually we are using a slightly modified one that removes the
`Table of Contents` section and replaces it with the doxygen-compatible
`[TOC]` to auto-generate a TOC that has working links.

Update soversion ead508ac82

Updated NEWS for release 51623f619c

[github-actions] Updated build workflow to use v4 for checkout and upload-artifact 578c78b3c2

[github-actions] Use newer cython version (Linux) a1ef9d32a3

autoconf: Require cython 3.0 for python bindings 612cdf3ffd

Change API around #PLIST_DATA to use uint8_t instead of char arrays ... a91f5740d1

This makes it more obvious that it is arbitrary data and not necessarily
a string value.

automake: Prevent dist or distcheck when uncommitted changes are present 0b73e02a2b

Add PLIST_DICT convenience functions for different queries/operations f8be42eaef

[github-actions] Fix cython installation for macOS build 5461edafb3

Bump soversion for release 0e7657e24d

Updated NEWS for release 06877b5ecb

Revert "Change API around #PLIST_DATA to use uint8_t instead of char arrays" ... 1327c87bf9

This reverts commit a91f5740d1.

Update soversion for release c96b1ad142

Updated NEWS for release 2117b8fdb6

json: Allow e+/E+ in exponent as per RFC 8259 e3568d816e

[github-actions] codeql-analysis: Update actions to newer version e8791e2d8b

Update README a5df0a6640

Switch to more generic global initializer method 3a1404c2e8

Switch from detecting little endian (common) to detecting big endian (rare) ... 8f24c4876a

This prevents a bug class where we bswap things when __LITTLE_ENDIAN__ is not defined.
Almost all modern systems are little endian, so detecting __BIG_ENDIAN__ is a better strategy.

Fix compilation on MSVC b611aa62b8

Fix warnings on MSVC 1813edad70

Use listplist_version function instead of PACKAGE_VERSION in plistutil 6eff9eb548

Add missing cast in UINT_TO_HOST 3d61170bbb

[github-actions] Run build workflow on pull_request 581b3e23a7

Updated ax_python_devel.m4 c1e3868485

configure: Removed unused check 8dee549fd2

configure: Allow building the library without tool(s) e3ca6af2c5

Remove pthread dependency 44099d4b79

C++: Fix String::GetValue memory leaking and suport assignment of const char* 02be84957d

C++: Add more convenience functions to the interface d40f03e409

C++: Use free() instead of delete for C things 5ea6de69af

Fix segmentation fault when calling plist_sort() on an empty dictionary ... 228a305069

Credit to @Anza2001

[github-actions] cifuzz: Update upload-artifact to v4 02ceecad2a

C++: Fix bug in array_fill helper function a6afb2229d

C++: Explicitly initialize base class in copy constructor 636ec1f53b

C++: Add new Structure::FromMemory() 8e310421ad

C++: Add const char* constructor to String class 31f1a810e5

C++: Add = operator to String class ed8a73301b

C++: Array: Add const Node& variants to Append, Insert e6f3c6c621

C++: Dictionary: Update template definition for better readability 464382e6f8

C++: Add f/Front() and b/Back() to Array to access first/last element 1aae1e5b7d

C++: Data: Add const char* constructor d031e94d7a

Fix plist_set_date_val to use correct size for data storage ... eee2e519e9

Otherwise the internal assertion will trigger since the incorrect
size will be checked against.

Thanks to @michaelwright235, @guyingzhao, and others for pointing this out!

cython: Fix build with cython 3.1+ d7fe479707

Add plist_new_unix_date, plist_get_unix_date_val, plist_set_unix_date_val functions ... cb76e4da84

These functions work with int64_t values representing a UNIX timestamp instead
of using the 'MAC epoch'. They should be used instead of plist_new_date,
plist_get_date_val, and plist_set_date_val, which are now marked deprecated
and might be removed in a future version of libplist.

Update soversion for release e255ed0727

Updated NEWS for release b8cfac2aae

Silence deprecation warning by using underlying code directly ... cf5897a71e

plist_date_val_compare calls plist_get_date_val which is now marked
deprecated. To avoid compiler warnings during build, we use the underlying
implementation directly instead of calling the function to work around it.

[github-actions] Update build workflow to use windows-latest 20d5d57e92

Add FUNDING c38ad16788

Fix proper use of calloc 91ba4263dd

Fix Integer constructor to copy plist node ... 7355dc8e83

Updated the Integer(const PList::Integer&) constructor to free the existing plist node and copy the node from the input object, ensuring correct initialization.

Update documentation style d9958ba8fd

docs: Fix CSS 543e20b9d7

Use sufficiently large data type for indexes/position counters 3588b4dbdb

time64: Assert if date is pointing to NULL ... b5a9af880f

Given the fact that timegm64 is only invoked with a valid pointer,
this should never trigger.

OpenStep: Fix possible integer overflow in node_from_openstep ... 2bcc19589d

Thanks to @ylwango613 for pointing this out!

xplist: Fix possible integer overflow ... 613a76fb86

Thanks to @ylwango613 for reporting

plistutil: (partially) Fix processing extremely large files ... 438f01bad1

Thanks to @ylwango613 for reporting.

xplist: Allow empty key entry in PLIST_DICT ... 2c50f76481

Even though this is weird, the DTD allows it. This commit will also make
the XML output write `<key/>` and `<string/>` instead of `<key></key>` and `<string></string>`
in case of empty key/string node.

test: fix operator error ... 18e5b22a71

Otherwise test fail with error [: -neq: binary operator expected

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>

cpp: Add this comparison to operator= copy assign b020cf26b8

test: Fix ostep-invalid-types test case b32b370d8d

bplist: Fix offset_table range check ... 15164ebe87

Credit to OSS-Fuzz

plist: make plist_data_compare NULL-safe ... c74e34edda

Ensure plist_data_compare safely handles NULL inputs by normalizing
NULL data to empty values and avoiding invalid dereferences.

hashtable: Remove unnecessary casts by using the correct type for the next member 25d61ff8b5

Add circular reference detection to all format writers ... 5b3ae4c132

Thanks to @LkkkLxy for pointing out the issue.

bplist: Fix format specifier in debug message 26dd27c435

Prevent deep nesting of plist structures in all input/output formats ... e45099fb21

Thanks to @unbengable12 for reporting. Addresses #288, #289, #290, #291, and #292.

plistutil: Use proper error description for new error codes 001a59eef3

plist: Reject insertion of plist nodes that already have a parent ... cff6a14ba4

Credit to @LkkkLxy for reporting (#276).

libplist nodes are owned by exactly one container. Inserting the same
plist_t into multiple dicts or arrays corrupts the tree structure and
leads to use-after-free crashes during traversal or plist_free().

Add explicit parent checks to dict and array insertion APIs to reject
nodes that already belong to another container. In debug builds, this
fails loudly via assert() and optional diagnostics; in release builds,
the operation safely no-ops.

Callers that need to reuse values must create a copy using plist_copy()
or explicitly detach the node before reinserting it.

plist: Fix heap overflow caused by incorrect PLIST_STRING length during copy ... c18d6b323e

Credit to @LkkkLxy. Addresses #277.

jsmn: use size_t for token offsets and harden against overflow ... c0f9df912d

Use size_t for token start/end offsets instead of int, replace the -1
sentinel with SIZE_MAX, and add a defensive guard against offset
wraparound. This prevents overflow when parsing very large JSON inputs.

This addresses issue #282.

Credit to @ylwango613 for repporting.

plist: Fix incorrect size storage in plist_copy() for PLIST_STRING nodes f06c4c6b6c

bplist: Fix UTF-8 to UTF-16 decoding and enforce strict validation ... 80c2fe8073

- Treat input as unsigned bytes
- Correct UTF-8 bit decoding for 2/3/4-byte sequences
- Add overlong, surrogate, and range checks
- Enforce lead/continuation byte constraints

This addresses issue #283.

Credit to @hgarrereyn for reporting.

bplist: Fix is_ascii_string by using sufficiently large data type ... 502eb2a102

Fixes #285

Credit to @ylwango613 for reporting.

xplist: Harden entity unescaping against malformed input ... ac7b64160f

- Fix numeric character reference parsing
- Enforce exact entity name matching
- Guard against size_t underflow and oversized entities
- Reject invalid Unicode code points

xplist: Use memcpy instead of strncpy since we know the exact size 2b5b43bdb3

plist: Fix plist_is_binary() not checking for NULL input ... 06d92b1152

Fixes issue #300

Credit to @jasonmli8

time64: Add time_s support for WIN32 ... 287e7e7fd6

Signed-off-by: Rosen Penev <rosenp@gmail.com>

bplist: Fix compiler warning with explicit cast ... 1d628bc5b0

Credit to @ylwango613

plist: Improve plist_dict_get_item() to safely iterate key/value pairs ... d0e6ef114a

Use explicit key/value stepping, zero-initialize hash lookup key,
and perform length-checked comparisons on NUL-terminated key strings.

plistutil: Make sure to check for memory allocation failure ... 57664f6394

Addresses #302.

Credit to @ylwango613.

xplist: Use small stack buffer instead of dynamic allocations ... ebf24567ea

This removes the necessity for malloc failures and reduces overhead

xplist: Improve robustness of XML text parsing and value conversion ... b7f09ccddd

This change adds stricter validation for numeric and date nodes,
including full-input consumption, overflow/range checks, and rejection
of invalid floating-point values. Whitespace handling is clarified by
explicitly trimming trailing XML whitespace for value nodes.

libcnary: Define error codes and add cycle, depth, and parent guards 1df039994f

libcnary: Fix node_detach to fully clear parent relationship ... 714ef4f956

Ensure node_detach() clears child->parent after removal and
handles missing children lists safely. This makes detached
nodes reusable and allows correct rollback when reinserting
nodes after failed inserts (e.g. depth-limit failures).

Without this, detached nodes could remain logically parented,
causing inconsistent state and preventing reinsertion.

plist: Handle node_attach/node_insert failures ... 9ef0d05265

Update plist array and dict mutation helpers to check
return values from node_attach() and node_insert(). This
prevents cache corruption and allows new depth and cycle
checks to be enforced correctly.

plist: Make plist copy and free implementations iterative ... 8c78d89041

Convert plist_free_node() and plist_copy_node() to iterative
implementations. This avoids unbounded recursion and stack
overflow when handling deeply nested plist data, while
preserving existing semantics and caches.

Add NULL checks across codebase 4e82bc8567

plist: make array and dict iterators opaque ... a7e82b8465

Introduce private iterator structs for plist_array_iter and
plist_dict_iter, and fix *_next_item() to properly advance
iterator state and handle malformed containers safely.

jplist: Add another NULL check to prevent NULL pointer dereference c4763002d2

bplist: Add overflow check to node offset pointer arithmetic ... 9969b8ebeb

Credit to OSSFuzz

libcnary: Fix leak on error in node_copy_deep() 70fd355f94

json: Fix a few memory leaks d5a582e95a

plistutil: Use getopt for solid option parsing 30132a9e2c

plistutil: Add a --nodepath option to allow selecting a specific node e3d5bbdf1f

plistutil: Read STDIN in chunks instead of 1 byte at a time 3bdee70a9c

xplist: Convert nested {CF$UID:<int>} dicts to PLIST_UID safely ... f5e74fc1e0

Convert single-entry { "CF$UID" : <integer> } dictionaries to PLIST_UID
nodes when closing a dict in the XML parser.

Refactor node cleanup logic:
- Split plist_free_data() into internal _plist_free_data()
- Introduce plist_free_children() to release child nodes separately
- Update plist_set_element_val() to free children before changing
  container node types
- Ensure PLIST_DICT hashtables do not free values (assert + force
  free_func = NULL)

This avoids in-place container mutation issues and ensures child
nodes and container metadata are released correctly before
changing node type.

Co-authored-by: Sami Kortelainen <sami.kortelainen@piceasoft.com>
Co-authored-by: Nikias Bassen <nikias@gmx.li>

xplist: Enforce single root value inside <plist> ... 6e03a1df6d

Ensure that XML property lists contain exactly one root value inside the <plist> element and reject any additional value nodes before </plist>.

Add tests covering root value handling and nested CF$UID conversion behavior.

Co-authored-by: Sami Kortelainen <sami.kortelainen@piceasoft.com>
Co-authored-by: Nikias Bassen <nikias@gmx.li>

Add JSON coercion support for non-JSON plist types ... 3edac28498

- Add PLIST_OPT_COERCE option to coerce PLIST_DATE, PLIST_DATA, and PLIST_UID to JSON-compatible types (ISO 8601 strings, Base64 strings, and integers)
- Add plist_to_json_with_options() function to allow passing coercion options (and others)
- Update plist_write_to_string() and plist_write_to_stream() to support coercion option
- Add --coerce flag to plistutil for JSON output
- Create plist2json symlink that automatically enables coercion when invoked

Add OpenStep coercion support for non-OpenStep plist types ... c8b36a80ba

- Use PLIST_OPT_COERCE option to coerce PLIST_BOOLEAN, PLIST_DATE, PLIST_UID, and PLIST_NULL to OpenStep-compatible types (1 or 0, ISO 8601 strings, integers, and 'NULL' string)
- Add plist_to_openstep_with_options() function to allow passing coercion option (and others)
- Update plist_write_to_string() and plist_write_to_stream() accordingly

Fix Cython crashes f41b1ea670

Fix fread() unused return values by actually handling errors 9dfcfe8dc2

Add OpenStep to man page dddb76d74a

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u master:mirror-master

git switch mirror-master

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff mirror-master

git switch mirror-master

git rebase master

git switch master

git merge --ff-only mirror-master

git switch mirror-master

git rebase master

git switch master

git merge --no-ff mirror-master

git switch master

git merge --squash mirror-master

git switch master

git merge --ff-only mirror-master

git switch master

git merge mirror-master

git push origin master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

SideStore/libplist!1

No description provided.