Issue json-c#332: fix a long-standing bug in array_list_put_idx() whe…

…re it would attempt to free previously free'd entries due to not checking the current array length. Add a test that triggers the problem to ensure it stays fixed.
shinae-woo · Jul 9, 2017 · fd9b3b2 · fd9b3b2
1 parent 7fd74fc
commit fd9b3b2
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/arraylist.c b/arraylist.c
@@ -96,7 +96,8 @@ array_list_put_idx(struct array_list *arr, size_t idx, void *data)
 {
   if (idx > SIZE_T_MAX - 1 ) return -1;
   if(array_list_expand_internal(arr, idx+1)) return -1;
-  if(arr->array[idx]) arr->free_fn(arr->array[idx]);
+  if(idx < arr->length && arr->array[idx])
+    arr->free_fn(arr->array[idx]);
   arr->array[idx] = data;
   if(arr->length <= idx) arr->length = idx + 1;
   return 0;

diff --git a/tests/test1.c b/tests/test1.c
@@ -120,6 +120,19 @@ void test_array_del_idx()
 	       (int)(orig_array_len + 1), rc, json_object_to_json_string(my_array));
 
 	json_object_put(my_array);
+
+	/* Delete some array indexes, then add more */
+	my_array = make_array();
+	rc = json_object_array_del_idx(my_array, 0, orig_array_len - 1);
+	printf("after del_idx(0,%d)=%d, my_array.to_string()=%s\n",
+	       (int)(orig_array_len - 1), rc, json_object_to_json_string(my_array));
+	json_object_array_add(my_array, json_object_new_string("s1"));
+	json_object_array_add(my_array, json_object_new_string("s2"));
+	json_object_array_add(my_array, json_object_new_string("s3"));
+
+	printf("after adding more entries, my_array.to_string()=%s\n",
+	       json_object_to_json_string(my_array));
+	json_object_put(my_array);
 }
 
 int main(int argc, char **argv)