594167
From 0c5992cdb85ac6d9d14b95e77f03797600e87667 Mon Sep 17 00:00:00 2001
594167
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
594167
Date: Mon, 9 May 2022 14:28:36 +0200
594167
Subject: [PATCH] shared/json: fix memory leak on failed normalization
594167
594167
We need to increase the counter immediately after taking the ref,
594167
otherwise we may not unref it properly if we fail before incrementing.
594167
594167
(cherry picked from commit 7e4be6a5845f983a299932d4ccb2c4349cf8dd52)
594167
Related: #2087652
594167
---
594167
 src/shared/json.c                       | 5 +++--
594167
 test/fuzz/fuzz-json/leak-normalize-fail | 1 +
594167
 2 files changed, 4 insertions(+), 2 deletions(-)
594167
 create mode 100644 test/fuzz/fuzz-json/leak-normalize-fail
594167
594167
diff --git a/src/shared/json.c b/src/shared/json.c
594167
index ea1291e21b..fe05657dad 100644
594167
--- a/src/shared/json.c
594167
+++ b/src/shared/json.c
594167
@@ -4655,10 +4655,11 @@ int json_variant_normalize(JsonVariant **v) {
594167
         if (!a)
594167
                 return -ENOMEM;
594167
 
594167
-        for (i = 0; i < m; i++) {
594167
+        for (i = 0; i < m; ) {
594167
                 a[i] = json_variant_ref(json_variant_by_index(*v, i));
594167
+                i++;
594167
 
594167
-                r = json_variant_normalize(a + i);
594167
+                r = json_variant_normalize(&a[i-1]);
594167
                 if (r < 0)
594167
                         goto finish;
594167
         }
594167
diff --git a/test/fuzz/fuzz-json/leak-normalize-fail b/test/fuzz/fuzz-json/leak-normalize-fail
594167
new file mode 100644
594167
index 0000000000..b247ccd199
594167
--- /dev/null
594167
+++ b/test/fuzz/fuzz-json/leak-normalize-fail
594167
@@ -0,0 +1 @@
594167
+[7E73]
594167
\ No newline at end of file