Fix use-after-free in json_tokener_new_ex()

The failure path taken in the event of printbuf_new() returning NULL calls free() on tok->stack after already having freed tok. Swap the order of the two calls to fix an obvious memory access violation. Fixes: bcb6d7d347 ("Handle allocation failure in json_tokener_new_ex") Signed-off-by: Juuso Alasuutari <juuso.alasuutari@gmail.com>
2026-03-24 15:39:07 +08:00 · 2021-09-04 20:14:30 +03:00
parent dc1ef7d566
commit 9361d8d3a8
1 changed files with 1 additions and 1 deletions
--- a/json_tokener.c
+++ b/json_tokener.c
@@ -164,8 +164,8 @@ struct json_tokener *json_tokener_new_ex(int depth)
 	tok->pb = printbuf_new();
 	if (!tok->pb)
 	{
-		free(tok);
 		free(tok->stack);
+		free(tok);
 		return NULL;
 	}
 	tok->max_depth = depth;