From 73b4f5d3e25d0ecfafd390a880365ffa858f0e73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ole=20Andr=C3=A9=20Vadla=20Ravn=C3=A5s?= Date: Mon, 24 Aug 2020 17:00:50 +0100 Subject: Fix copy behavior for complex types The parent of the reffed children were previously left pointing to the original node. In the best-case scenario this would lead to inconsistent state when walking down a tree and then walking back up again. In the worst-case scenario this would happen when the original node had a shorter life-time than the copy, resulting in use-after-free. A typical scenario where this went wrong was with json_from_string(), which would copy the root node, let go of the last reference to the root node, and then return the copy. The copy would then have dangling `parent` pointers. This probably went unnoticed for most use-cases, but would go terribly wrong if someone used a JsonReader and navigated back up the tree by e.g. calling end_member(). Fixes: #20 Fixes: #32 --- json-glib/json-array.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'json-glib/json-array.c') diff --git a/json-glib/json-array.c b/json-glib/json-array.c index 4834cdc..ecb9e72 100644 --- a/json-glib/json-array.c +++ b/json-glib/json-array.c @@ -85,6 +85,30 @@ json_array_sized_new (guint n_elements) return array; } +JsonArray * +json_array_copy (JsonArray *array, + JsonNode *new_parent) +{ + JsonArray *copy; + guint i; + + copy = json_array_sized_new (array->elements->len); + for (i = 0; i < array->elements->len; i++) + { + JsonNode *child_copy; + + child_copy = json_node_copy (g_ptr_array_index (array->elements, i)); + child_copy->parent = new_parent; + g_ptr_array_index (copy->elements, i) = child_copy; + } + copy->elements->len = array->elements->len; + + copy->immutable_hash = array->immutable_hash; + copy->immutable = array->immutable; + + return copy; +} + /** * json_array_ref: * @array: a #JsonArray -- cgit v1.2.1