object: Replace the name pointer in the members list

When calling g_hash_table_replace() we also free the string holding the
member name. This means that the const gchar* pointer we store inside
the list of ordered member names now points to garbage - so if somebody
tries to iterate over the members list it will get random values instead
of a valid C string.

Since we guaranteed insertion order, if we replace the contents of a
JsonObject member we need to find the right pointer and replace it: just
removing and prepending won't do.

https://bugzilla.gnome.org/show_bug.cgi?id=642383

1 files changed, 21 insertions, 0 deletions

diff --git a/json-glib/json-object.c b/json-glib/json-object.c
index 0b5875f..7a5f2ec 100644
--- a/json-glib/json-object.c
+++ b/json-glib/json-object.c
@@ -25,6 +25,8 @@
 #include "config.h"
 #endif
 
+#include <string.h>
+
 #include <glib.h>
 
 #include "json-types-private.h"
@@ -131,6 +133,25 @@ object_set_member_internal (JsonObject  *object,
 
   if (g_hash_table_lookup (object->members, name) == NULL)
     object->members_ordered = g_list_prepend (object->members_ordered, name);
+  else
+    {
+      GList *l;
+
+      /* if the member already exists then we need to replace the
+       * pointer to its name, to avoid keeping invalid pointers
+       * once we replace the key in the hash table
+       */
+      for (l = object->members_ordered; l != NULL; l =  l->next)
+        {
+          gchar *tmp = l->data;
+
+          if (strcmp (tmp, name) == 0)
+            {
+              l->data = name;
+              break;
+            }
+        }
+    }
 
   g_hash_table_replace (object->members, name, node);
 }