Fix an uninitialized memory access in json_pointer.

Add comments describing when the fields of the internal struct json_pointer_get_result are valid.

diff --git a/json_patch.c b/json_patch.c
index 97d9dd843c767f99df40acc035f0d90dff56f121..b48eed85bbfcbec0f354bd9a7a04709bcafa711f 100644 (file)
--- a/json_patch.c
+++ b/json_patch.c
@@ -49,9 +49,9 @@ static int json_patch_apply_test(struct json_object **res,
 static int __json_patch_apply_remove(struct json_pointer_get_result *jpres)
 {
        if (json_object_is_type(jpres->parent, json_type_array)) {
-               return json_object_array_del_idx(jpres->parent, jpres->id.index, 1);
-       } else if (jpres->parent && jpres->id.key) {
-               json_object_object_del(jpres->parent, jpres->id.key);
+               return json_object_array_del_idx(jpres->parent, jpres->index_in_parent, 1);
+       } else if (jpres->parent && jpres->key_in_parent) {
+               json_object_object_del(jpres->parent, jpres->key_in_parent);
                return 0;
        } else {
                return json_object_put(jpres->obj);

diff --git a/json_pointer.c b/json_pointer.c
index e6e5f91b1c9f152ee6fc62b77f0c1f15e9252075..89e9e213fa52e89e279a82cd4ac450be59862710 100644 (file)
--- a/json_pointer.c
+++ b/json_pointer.c
@@ -190,9 +190,9 @@ static int json_pointer_result_get_recursive(struct json_object *obj, char *path
                res->parent = parent_obj;
                res->obj = obj;
                if (json_object_is_type(res->parent, json_type_array))
-                       res->id.index = idx;
+                       res->index_in_parent = idx;
                else
-                       res->id.key = path;
+                       res->key_in_parent = path;
        }
 
        return 0;
@@ -228,11 +228,10 @@ int json_pointer_get_internal(struct json_object *obj, const char *path,
 
        if (path[0] == '\0')
        {
-               if (res) {
-                       res->parent = NULL;
-                       res->obj = obj;
-               }
-               res->id.key = NULL;
+               res->parent = NULL;
+               res->obj = obj;
+               res->key_in_parent = NULL;
+               res->index_in_parent = -1;
                return 0;
        }
 
@@ -244,8 +243,8 @@ int json_pointer_get_internal(struct json_object *obj, const char *path,
        }
        rc = json_pointer_result_get_recursive(obj, path_copy, res);
        /* re-map the path string to the const-path string */
-       if (rc == 0 && res->id.key && !json_object_is_type(res->parent, json_type_array))
-               res->id.key = path + (res->id.key - path_copy);
+       if (rc == 0 && json_object_is_type(res->parent, json_type_object) && res->key_in_parent)
+               res->key_in_parent = path + (res->key_in_parent - path_copy);
        free(path_copy);
 
        return rc;

diff --git a/json_pointer_private.h b/json_pointer_private.h
index 40ec76dc6171448c064fe8f65b315e3a11bea11b..537cabd36ea9de84a295488f2794f739538aeb09 100644 (file)
--- a/json_pointer_private.h
+++ b/json_pointer_private.h
@@ -19,10 +19,11 @@ extern "C" {
 struct json_pointer_get_result {
        struct json_object *parent;
        struct json_object *obj;
-       union {
-               const char *key;
-               uint32_t index;
-       } id;
+       // The key of the found object; only valid when parent is json_type_object
+       // Caution: re-uses tail end of the `path` argument to json_pointer_get_internal
+       const char *key_in_parent;
+       // the index of the found object; only valid when parent is json_type_array
+       uint32_t index_in_parent;
 };
 
 int json_pointer_get_internal(struct json_object *obj, const char *path,