cJSON / Bugs / #51 Fixed some memory leak bugs when some heap allocation fails in cJSON

#51 Fixed some memory leak bugs when some heap allocation fails in cJSON_Create(String|*Array) functions

Milestone: v1.0 (example)

Status: closed-fixed

Owner: Dave Gamble

Labels: None

Priority: 5

Updated: 2016-03-19

Created: 2016-01-06

Creator: Irwan Djajadi

Private: No

Hello, we found some unroll bugs on cJSON_Create(String|*Array) where the cJSON structure's value has to be allocated. If the value fails to be allocated, cJSON ends up returning an invalid cJSON structure.

We've fixed it internally with our patch. We're wondering if you would accept this patch upstream.

This patch fixed:
* cJSON_CreateString
* cJSON_CreateIntArray
* cJSON_CreateFloatArray
* cJSON_CreateDoubleArray
* cJSON_CreateStringArray

if heap-allocation fails when cJSON allocates the value, then it's going to call cJSON_Delete on the already created cJSON structure and return NULL. This behavior is consistent with the other cJSON_Create* functions whose values are simple types, like cJSON_CreateBool, etc, in that when there's heap-allocation error, those functions also return NULL.

"""
--- a/cJSON.c
+++ b/cJSON.c
@@ -560,15 +560,15 @@
cJSON cJSON_CreateFalse(void) {cJSON item=cJSON_New_Item();if(item)item->type=cJSON_False;return item;}
cJSON cJSON_CreateBool(int b) {cJSON item=cJSON_New_Item();if(item)item->type=b?cJSON_True:cJSON_False;return item;}
cJSON cJSON_CreateNumber(double num) {cJSON item=cJSON_New_Item();if(item){item->type=cJSON_Number;item->valuedouble=num;item->valueint=(int)num;}return item;}
-cJSON cJSON_CreateString(const char string) {cJSON item=cJSON_New_Item();if(item){item->type=cJSON_String;item->valuestring=cJSON_strdup(string);}return item;}
+cJSON cJSON_CreateString(const char string) {cJSON item=cJSON_New_Item();if(item){item->type=cJSON_String;item->valuestring=cJSON_strdup(string);if(!item->valuestring){cJSON_Delete(item);return 0;}}return item;}
cJSON cJSON_CreateArray(void) {cJSON item=cJSON_New_Item();if(item)item->type=cJSON_Array;return item;}
cJSON cJSON_CreateObject(void) {cJSON item=cJSON_New_Item();if(item)item->type=cJSON_Object;return item;}

/ Create Arrays: /
-cJSON cJSON_CreateIntArray(const int numbers,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createnumber(numbers[i]);if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
-cJSON </count;i++){n=cjson_createnumber(numberscJSON_CreateFloatArray(const float numbers,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createnumber(numbers[i]);if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
-cJSON cJSON_CreateDoubleArray(const double numbers,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createnumber(numbers[i]);if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
-cJSON </count;i++){n=cjson_createnumber(numberscJSON_CreateStringArray(const char strings,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createstring(strings[i]);if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
+cJSON </count;i++){n=cjson_createstring(stringscJSON_CreateIntArray(const int numbers,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createnumber(numbers[i]);if(!n){cJSON_Delete(a);return 0;}if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
+cJSON cJSON_CreateFloatArray(const float numbers,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createnumber(numbers[i]);if(!n){cJSON_Delete(a);return 0;}if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
+cJSON </count;i++){n=cjson_createnumber(numberscJSON_CreateDoubleArray(const double numbers,int count) {int i;cJSON n=0,p=0,a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createnumber(numbers[i]);if(!n){cJSON_Delete(a);return 0;}if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}
+cJSON *cJSON_CreateStringArray(const char </count;i++){n=cjson_createnumber(numbers</count;i++){n=cjson_createnumber(numbersstrings,int count) {int i;cJSON n=0,p=0,*a=cJSON_CreateArray();for(i=0;a && i<count;i++){n=cjson_createstring(strings[i]);if(!n){cJSON_Delete(a);return 0;}if(!i)a->child=n;else suffix_object(p,n);p=n;}return a;}</count;i++){n=cjson_createstring(strings</count;i++){n=cjson_createnumber(numbers

/ Duplication /
cJSON cJSON_Duplicate(cJSON item,int recurse)
"""

Thank you much!

Discussion

Irwan Djajadi - 2016-01-06

Ugh.. the patch doesn't get formatted correctly when pasted inline. I'm attaching the patch file here.
Sorry bout that.

unrollCreate.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Gamble - 2016-03-19

Merged upstream at https://github.com/DaveGamble/cJSON, with thanks!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Gamble - 2016-03-19

status: unread --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Fixed some memory leak bugs when some heap allocation fails in...

Group

Searches

Help

#51 Fixed some memory leak bugs when some heap allocation fails in cJSON_Create(String|*Array) functions

Discussion