From: Juuso Alasuutari <juuso.alasuutari@gmail.com>
Date: Sat, 4 Sep 2021 17:14:30 +0000 (+0300)
Subject: Fix use-after-free in json_tokener_new_ex()
X-Git-Tag: json-c-0.16-20220414~33^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F722%2Fhead;p=thirdparty%2Fjson-c.git

Fix use-after-free in json_tokener_new_ex()

The failure path taken in the event of printbuf_new() returning NULL
calls free() on tok->stack after already having freed tok. Swap the
order of the two calls to fix an obvious memory access violation.

Fixes: bcb6d7d3474b ("Handle allocation failure in json_tokener_new_ex")
Signed-off-by: Juuso Alasuutari <juuso.alasuutari@gmail.com>
---

diff --git a/json_tokener.c b/json_tokener.c
index 052c4b52..4a25645d 100644
--- a/json_tokener.c
+++ b/json_tokener.c
@@ -164,8 +164,8 @@ struct json_tokener *json_tokener_new_ex(int depth)
 	tok->pb = printbuf_new();
 	if (!tok->pb)
 	{
-		free(tok);
 		free(tok->stack);
+		free(tok);
 		return NULL;
 	}
 	tok->max_depth = depth;