From 6d3a7213f58da834b0fc869d05f87e86010c66cf Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 12 Jul 2020 14:34:00 +0200
Subject: [PATCH] patch 8.2.1188: memory leak with invalid json input
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem:    Memory leak with invalid json input.
Solution:   Free all keys at the end. (Dominique Pellé, closes #6443,
            closes #6442)
---
 src/json.c                | 9 ++++-----
 src/testdir/test_json.vim | 2 ++
 src/version.c             | 2 ++
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/json.c b/src/json.c
index 8eb6680bea..c22864df10 100644
--- a/src/json.c
+++ b/src/json.c
@@ -594,6 +594,7 @@ typedef struct {
 json_decode_item(js_read_T *reader, typval_T *res, int options)
 {
     char_u	*p;
+    int		i;
     int		len;
     int		retval;
     garray_T	stack;
@@ -621,9 +622,6 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 	    if (*p == NUL)
 	    {
 		retval = MAYBE;
-		if (top_item->jd_type == JSON_OBJECT)
-		    // did get the key, clear it
-		    clear_tv(&top_item->jd_key_tv);
 		goto theend;
 	    }
 	    if (top_item->jd_type == JSON_OBJECT_KEY
@@ -925,7 +923,6 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 		top_item->jd_key = tv_get_string_buf_chk(cur_item, key_buf);
 		if (top_item->jd_key == NULL)
 		{
-		    clear_tv(cur_item);
 		    emsg(_(e_invarg));
 		    retval = FAIL;
 		    goto theend;
@@ -1001,7 +998,6 @@ item_end:
 		{
 		    semsg(_("E938: Duplicate key in JSON: \"%s\""),
 							     top_item->jd_key);
-		    clear_tv(&top_item->jd_key_tv);
 		    clear_tv(cur_item);
 		    retval = FAIL;
 		    goto theend;
@@ -1060,7 +1056,10 @@ item_end:
     semsg(_(e_json_error), p);
 
 theend:
+    for (i = 0; i < stack.ga_len; i++)
+	clear_tv(&(((json_dec_item_T *)stack.ga_data) + i)->jd_key_tv);
     ga_clear(&stack);
+
     return retval;
 }
 
diff --git a/src/testdir/test_json.vim b/src/testdir/test_json.vim
index c3b4382bd7..c619882953 100644
--- a/src/testdir/test_json.vim
+++ b/src/testdir/test_json.vim
@@ -201,6 +201,8 @@ func Test_json_decode()
   call assert_fails('call json_decode("\"\\u111Z\"")', 'E491:')
   call assert_equal('[😂]', json_decode('"[\uD83D\uDE02]"'))
   call assert_equal('a😂b', json_decode('"a\uD83D\uDE02b"'))
+
+  call assert_fails('call json_decode("{\"\":{\"\":{")', 'E491:')
 endfunc
 
 let s:jsl5 = '[7,,,]'
diff --git a/src/version.c b/src/version.c
index d0067bf997..eaca91f2c9 100644
--- a/src/version.c
+++ b/src/version.c
@@ -754,6 +754,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1188,
 /**/
     1187,
 /**/
-- 
GitLab