add_item_to_object: Fix use-after-free when string is aliased

If the `string` property of the item that is added is an alias to the `string` parameter of `add_item_to_object`, and `constant` is false, `cJSON_strdup` would access the string after it has been freed. Thanks @hhallen for reporting this in #248.
2023-08-10 21:13:26 +03:00 · 2018-03-02 19:49:55 +01:00
parent a559eac472
commit 22a7d04fa0
2 changed files with 41 additions and 16 deletions
--- a/cJSON.c
+++ b/cJSON.c
@ -1895,32 +1895,37 @@ static void* cast_away_const(const void* string)

 static cJSON_bool add_item_to_object(cJSON * const object, const char * const string, cJSON * const item, const internal_hooks * const hooks, const cJSON_bool constant_key)
 {
+    char *new_key = NULL;
+    int new_type = cJSON_Invalid;
+
    if ((object == NULL) || (string == NULL) || (item == NULL))
    {
        return false;
    }

+    if (constant_key)
+    {
+        new_key = (char*)cast_away_const(string);
+        new_type = item->type | cJSON_StringIsConst;
+    }
+    else
+    {
+        new_key = (char*)cJSON_strdup((const unsigned char*)string, hooks);
+        if (new_key == NULL)
+        {
+            return false;
+        }
+
+        new_type = item->type & ~cJSON_StringIsConst;
+    }
+
    if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
    {
        hooks->deallocate(item->string);
    }

-    if (constant_key)
-    {
-        item->string = (char*)cast_away_const(string);
-        item->type |= cJSON_StringIsConst;
-    }
-    else
-    {
-        char *key = (char*)cJSON_strdup((const unsigned char*)string, hooks);
-        if (key == NULL)
-        {
-            return false;
-        }
-
-        item->string = key;
-        item->type &= ~cJSON_StringIsConst;
-    }
+    item->string = new_key;
+    item->type = new_type;

    return add_item_to_array(object, item);
 }