Double-free when printing cJSON_Raw if valuestring==NULL

[projectgus]

I was taking a look at the cJSON codebase on behalf of a customer, and I a spot that I wanted to check when printing cJSON_Raw values:

• If item->valuestring is NULL, the print_value() implementation may deallocate the write buffer and then return. However, at least some callers of print_value() (for example print()) will also deallocate this buffer on failure. This looks like a potential double-free.

I haven't had time to be verify this for certain, or write a test, but I thought I would report it while I had it in front of me. Seems like it's probably an unlikely path to hit in real code.

EDIT: Previous version of this issue had two points. For one, I missed that the memcpy included the terminating byte.

[FSMaxB]

You are right. All callers of print_value deallocate the buffer on failure, except in cJSON_PrintPreallocated, where there are no allocations anyway.

I will fix this and make a new release immediately.

[FSMaxB]

Thanks a lot for reviewing cJSON!

[FSMaxB]

1.7.3 has been released with a fix.

[projectgus]

Wow, that's great. Thanks for the quick response @FSMaxB !