Skip to content

Commit c033292

Browse files
committed
Safer GenericValue& operator=(GenericValue& rhs).
When rhs is a sub-Value of *this, destroying *this also destroys/frees rhs, thus the following RawAssign(rhs) crashes. Address this by saving/moving rhs to a temporary first, which clears rhs and avoids its destruction with *this. The crash can be reproduced in test Value.MergeDuplicateKey by using the CrtAllocator instead of the default Document's MemoryPoolAllocator.
1 parent 1c2c8e0 commit c033292

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

include/rapidjson/document.h

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -916,8 +916,13 @@ class GenericValue {
916916
*/
917917
GenericValue& operator=(GenericValue& rhs) RAPIDJSON_NOEXCEPT {
918918
if (RAPIDJSON_LIKELY(this != &rhs)) {
919+
// Can't destroy "this" before assigning "rhs", otherwise "rhs"
920+
// could be used after free if it's an sub-Value of "this",
921+
// hence the temporary danse.
922+
GenericValue temp;
923+
temp.RawAssign(rhs);
919924
this->~GenericValue();
920-
RawAssign(rhs);
925+
RawAssign(temp);
921926
}
922927
return *this;
923928
}

0 commit comments

Comments
 (0)