From 9361d8d3a89475f5aadcac2c5473da1c4c47c7e2 Mon Sep 17 00:00:00 2001
From: Juuso Alasuutari <juuso.alasuutari@gmail.com>
Date: Sat, 4 Sep 2021 20:14:30 +0300
Subject: Fix use-after-free in json_tokener_new_ex()

The failure path taken in the event of printbuf_new() returning NULL
calls free() on tok->stack after already having freed tok. Swap the
order of the two calls to fix an obvious memory access violation.

Fixes: bcb6d7d3474b ("Handle allocation failure in json_tokener_new_ex")
Signed-off-by: Juuso Alasuutari <juuso.alasuutari@gmail.com>
---
 json_tokener.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/json_tokener.c b/json_tokener.c
index 052c4b5..4a25645 100644
--- a/json_tokener.c
+++ b/json_tokener.c
@@ -164,8 +164,8 @@ struct json_tokener *json_tokener_new_ex(int depth)
 	tok->pb = printbuf_new();
 	if (!tok->pb)
 	{
-		free(tok);
 		free(tok->stack);
+		free(tok);
 		return NULL;
 	}
 	tok->max_depth = depth;
-- 
cgit v1.2.1