Segmentation fault after invoking json_object_clear() and json_object_remove() back to back.
bennydiamond opened this issue · 1 comments
bennydiamond commented
Consider the following snippet
JSON_Value *foo = json_value_init_object();
JSON_Object *bar = json_value_get_object(foo);
json_object_set_string(bar, "key1", "string");
json_object_clear(bar);
json_object_remove(bar, "key1");
json_object_set_string(bar, "key2", "test");
Call to json_object_remove()
will still find "key1"
key if freed heap (from calling json_object_clear()
) is left untouched. json_object_get_cell_ix()
will seek previously freed mem and find key. At that point, top-level count
member will be decremented and possibly rollback to -1. Any further operation that relies on a valid obj->count value (like json_object_set_string()
in example above) will probably generate a segmentation fault if this value rolled back over zero.
Suggestion
Reset obj->cell_capacity on json_object_clear()
call
Maybe resetting obj->item_capacity as well might be a good idea?
kgabis commented
Fixed in 1.5.1, thanks!