Fix use-after-free in overwrite_item for reference-type nodes#1047
Open
SongT-50 wants to merge 1 commit into
Open
Fix use-after-free in overwrite_item for reference-type nodes#1047SongT-50 wants to merge 1 commit into
SongT-50 wants to merge 1 commit into
Conversation
overwrite_item() frees root->string, root->valuestring, and root->child without checking the cJSON_StringIsConst / cJSON_IsReference flags that cJSON_Delete() already honors. When a reference-type node (from cJSON_CreateObjectReference / cJSON_CreateArrayReference / cJSON_CreateStringReference) is used as the root object of a JSON-Patch root replacement/add (path "") via cJSONUtils_ApplyPatches, overwrite_item frees externally-owned memory that another object still references, leading to use-after-free / double-free. This mirrors the guards cJSON_Delete() applies, restoring internal consistency. Distinct from DaveGamble#1010 (missing NULL-object check on the same path): here object is a valid, non-NULL reference node.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
overwrite_item()(cJSON_Utils.c) freesroot->string,root->valuestring, androot->childwithout checking thecJSON_StringIsConst/cJSON_IsReferenceflags thatcJSON_Delete()already honors.When a reference-type node (created via
cJSON_CreateObjectReference,cJSON_CreateArrayReference, orcJSON_CreateStringReference) is used as the root object of a JSON-Patch root replacement/add (path"") throughcJSONUtils_ApplyPatches,overwrite_itemfrees externally-owned memory that another object still references — a use-after-free / double-free.This is distinct from #1010 (missing NULL-object check on the same path): there
objectisNULL; hereobjectis a valid, non-NULL reference node, and the missing check is the reference flag, not a NULL guard. The two issues are independent.Reproduction (AddressSanitizer)
ASAN reports
heap-use-after-free:overwrite_item(cJSON_Utils.c) viacJSON_Delete(root->child)duringapply_patch→cJSONUtils_ApplyPatchescJSON_Delete(owner)reading the already-freed childWith this patch applied, the same program runs clean (no ASAN report).
Fix
Mirror the exact guards
cJSON_Delete()already applies, restoring internal consistency (no behavioral change for non-reference nodes):All 22 existing tests pass (
ctest), includingjson_patch_tests,old_utils_tests, andmisc_utils_tests.Note
Originally reported by email on April 6, 2026 (with a follow-up on June 17); opening as a PR after 90 days as the maintainer inbox appears inactive. Happy to adjust the approach to your preference.
Found via cross-model AI code review (independent analysis by Claude and Codex, using a generator/evaluator separation); the use-after-free was surfaced by the Codex pass.