From 0c5992cdb85ac6d9d14b95e77f03797600e87667 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Mon, 9 May 2022 14:28:36 +0200
Subject: [PATCH] shared/json: fix memory leak on failed normalization

We need to increase the counter immediately after taking the ref,
otherwise we may not unref it properly if we fail before incrementing.

(cherry picked from commit 7e4be6a5845f983a299932d4ccb2c4349cf8dd52)
Related: #2087652
---
 src/shared/json.c                       | 5 +++--
 test/fuzz/fuzz-json/leak-normalize-fail | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)
 create mode 100644 test/fuzz/fuzz-json/leak-normalize-fail

diff --git a/src/shared/json.c b/src/shared/json.c
index ea1291e21b..fe05657dad 100644
--- a/src/shared/json.c
+++ b/src/shared/json.c
@@ -4655,10 +4655,11 @@ int json_variant_normalize(JsonVariant **v) {
         if (!a)
                 return -ENOMEM;
 
-        for (i = 0; i < m; i++) {
+        for (i = 0; i < m; ) {
                 a[i] = json_variant_ref(json_variant_by_index(*v, i));
+                i++;
 
-                r = json_variant_normalize(a + i);
+                r = json_variant_normalize(&a[i-1]);
                 if (r < 0)
                         goto finish;
         }
diff --git a/test/fuzz/fuzz-json/leak-normalize-fail b/test/fuzz/fuzz-json/leak-normalize-fail
new file mode 100644
index 0000000000..b247ccd199
--- /dev/null
+++ b/test/fuzz/fuzz-json/leak-normalize-fail
@@ -0,0 +1 @@
+[7E73]
\ No newline at end of file