richardphibel / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
8d419f
From 0c5992cdb85ac6d9d14b95e77f03797600e87667 Mon Sep 17 00:00:00 2001
8d419f
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
8d419f
Date: Mon, 9 May 2022 14:28:36 +0200
8d419f
Subject: [PATCH] shared/json: fix memory leak on failed normalization
8d419f
8d419f
We need to increase the counter immediately after taking the ref,
8d419f
otherwise we may not unref it properly if we fail before incrementing.
8d419f
8d419f
(cherry picked from commit 7e4be6a5845f983a299932d4ccb2c4349cf8dd52)
8d419f
Related: #2087652
8d419f
---
8d419f
 src/shared/json.c                       | 5 +++--
8d419f
 test/fuzz/fuzz-json/leak-normalize-fail | 1 +
8d419f
 2 files changed, 4 insertions(+), 2 deletions(-)
8d419f
 create mode 100644 test/fuzz/fuzz-json/leak-normalize-fail
8d419f
8d419f
diff --git a/src/shared/json.c b/src/shared/json.c
8d419f
index ea1291e21b..fe05657dad 100644
8d419f
--- a/src/shared/json.c
8d419f
+++ b/src/shared/json.c
8d419f
@@ -4655,10 +4655,11 @@ int json_variant_normalize(JsonVariant **v) {
8d419f
         if (!a)
8d419f
                 return -ENOMEM;
8d419f
 
8d419f
-        for (i = 0; i < m; i++) {
8d419f
+        for (i = 0; i < m; ) {
8d419f
                 a[i] = json_variant_ref(json_variant_by_index(*v, i));
8d419f
+                i++;
8d419f
 
8d419f
-                r = json_variant_normalize(a + i);
8d419f
+                r = json_variant_normalize(&a[i-1]);
8d419f
                 if (r < 0)
8d419f
                         goto finish;
8d419f
         }
8d419f
diff --git a/test/fuzz/fuzz-json/leak-normalize-fail b/test/fuzz/fuzz-json/leak-normalize-fail
8d419f
new file mode 100644
8d419f
index 0000000000..b247ccd199
8d419f
--- /dev/null
8d419f
+++ b/test/fuzz/fuzz-json/leak-normalize-fail
8d419f
@@ -0,0 +1 @@
8d419f
+[7E73]
8d419f
\ No newline at end of file