bug for cJSON_InsertItemInArray function #802
Description
Description
If the the newitem passed in cJSON_InsertItemInArray dont have prev, the newitem->prevwill be null. The null pointer dereference will cause SEGV in function cJSON_InsertItemInArray cJSON.c:2287
Version
commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
Author: Alan Wang <[email protected]>
Date: Wed Jul 5 11:22:19 2023 +0800
Related Code
CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem)
{
cJSON *after_inserted = NULL;
if (which < 0)
{
return false;
}
after_inserted = get_array_item(array, (size_t)which);
if (after_inserted == NULL)
{
return add_item_to_array(array, newitem);
}
newitem->next = after_inserted;
newitem->prev = after_inserted->prev;
after_inserted->prev = newitem;
if (after_inserted == array->child)
{
array->child = newitem;
}
else
{
newitem->prev->next = newitem; // <== here
}
return true;
}Impact
Potentially causing DoS