Fix an off-by-one error in json_array_remove()

Uninitialized memory was read when the last item of a "full" array was
removed.
This commit is contained in:
Petri Lehtinen 2012-12-04 09:32:42 +02:00
parent ac0ca9223b
commit 54d59c743c
2 changed files with 18 additions and 1 deletions

View File

@ -509,7 +509,10 @@ int json_array_remove(json_t *json, size_t index)
json_decref(array->table[index]); json_decref(array->table[index]);
/* If we're removing the last element, nothing has to be moved */
if(index < array->entries - 1)
array_move(array, index, index + 1, array->entries - index); array_move(array, index, index + 1, array->entries - index);
array->entries--; array->entries--;
return 0; return 0;

View File

@ -206,6 +206,7 @@ static void test_insert(void)
static void test_remove(void) static void test_remove(void)
{ {
json_t *array, *five, *seven; json_t *array, *five, *seven;
int i;
array = json_array(); array = json_array();
five = json_integer(5); five = json_integer(5);
@ -253,6 +254,19 @@ static void test_remove(void)
json_array_get(array, 2) != seven) json_array_get(array, 2) != seven)
fail("remove works incorrectly"); fail("remove works incorrectly");
json_decref(array);
array = json_array();
for(i = 0; i < 4; i++) {
json_array_append(array, five);
json_array_append(array, seven);
}
if(json_array_size(array) != 8)
fail("unable to append 8 items to array");
/* Remove the last element from a "full" array. */
json_array_remove(array, 7);
json_decref(five); json_decref(five);
json_decref(seven); json_decref(seven);
json_decref(array); json_decref(array);