Segmentation fault after invoking json_object_clear() and json_object_remove() back to back.

Question

Segmentation fault after invoking json_object_clear() and json_object_remove() back to back.

bennydiamond opened this issue 2 years ago · 1 comments

Consider the following snippet

    JSON_Value *foo = json_value_init_object();
    JSON_Object *bar = json_value_get_object(foo);
    json_object_set_string(bar, "key1", "string");
    json_object_clear(bar);
    json_object_remove(bar, "key1");
    json_object_set_string(bar, "key2", "test");

Call to json_object_remove() will still find "key1" key if freed heap (from calling json_object_clear()) is left untouched. json_object_get_cell_ix() will seek previously freed mem and find key. At that point, top-level count member will be decremented and possibly rollback to -1. Any further operation that relies on a valid obj->count value (like json_object_set_string() in example above) will probably generate a segmentation fault if this value rolled back over zero.

Suggestion

Reset obj->cell_capacity on json_object_clear() call
Maybe resetting obj->item_capacity as well might be a good idea?

Answer 1 · 2023-02-15T21:59:53.000Z

Fixed in 1.5.1, thanks!