diff options
| author | Juuso Alasuutari <juuso.alasuutari@gmail.com> | 2021-09-04 20:14:30 +0300 |
|---|---|---|
| committer | Juuso Alasuutari <juuso.alasuutari@gmail.com> | 2021-09-04 20:14:30 +0300 |
| commit | 9361d8d3a89475f5aadcac2c5473da1c4c47c7e2 (patch) | |
| tree | e0d3dd811673e4427d7c3ae1944ccb0fd931e176 /json_tokener.c | |
| parent | dc1ef7d566e0857bb10772e9048198ba46bd1485 (diff) | |
| download | json-c-9361d8d3a89475f5aadcac2c5473da1c4c47c7e2.tar.gz | |
Fix use-after-free in json_tokener_new_ex()
The failure path taken in the event of printbuf_new() returning NULL
calls free() on tok->stack after already having freed tok. Swap the
order of the two calls to fix an obvious memory access violation.
Fixes: bcb6d7d3474b ("Handle allocation failure in json_tokener_new_ex")
Signed-off-by: Juuso Alasuutari <juuso.alasuutari@gmail.com>
Diffstat (limited to 'json_tokener.c')
| -rw-r--r-- | json_tokener.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/json_tokener.c b/json_tokener.c index 052c4b5..4a25645 100644 --- a/json_tokener.c +++ b/json_tokener.c @@ -164,8 +164,8 @@ struct json_tokener *json_tokener_new_ex(int depth) tok->pb = printbuf_new(); if (!tok->pb) { - free(tok); free(tok->stack); + free(tok); return NULL; } tok->max_depth = depth; |