Fix #105, double free when parse_string fails

This fixes a double free that happens when calling cJSON_Delete on an item that has been used by parse_string and it failed parsing the string. The double free happens, because parse_string frees an alias of item->valuestring, but doesn't set item->valuestring to NULL.
DaveGamble · Feb 15, 2017 · 94117a5 · 94117a5
1 parent c3bd446
commit 94117a5
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/cJSON.c b/cJSON.c
@@ -468,7 +468,6 @@ static const unsigned char *parse_string(cJSON *item, const unsigned char *str,
     {
         goto fail;
     }
-    item->valuestring = (char*)out; /* assign here so out will be deleted during cJSON_Delete() later */
     item->type = cJSON_String;
 
     ptr = str + 1;
@@ -608,6 +607,8 @@ static const unsigned char *parse_string(cJSON *item, const unsigned char *str,
         ptr++;
     }
 
+    item->valuestring = (char*)out;
+
     return ptr;
 
 fail: