Fix a potential UAF caused by JSON parser cache spill.

[forum:/forumpost/b25edc1d46|Forum post b25edc1d46]. FossilOrigin-Name: a163fecca90cab9d1b7bf8ebac78d498775eed7b6d81e7920e3401633c3a4b60
author: drh <> 2023-10-09 12:46:53 +0000
committer: drh <> 2023-10-09 12:46:53 +0000
commit: faef28e6bd654e5061561423cb1ece6ca84f1f1f (patch)
tree: 7a65a257f399f246ac63e30a3ee2000cdede01fa /src/json.c
parent: 66dacae4c3f818d0a9e94ecb4433c823a69a98aa (diff)
download: sqlite-faef28e6bd654e5061561423cb1ece6ca84f1f1f.tar.gz
sqlite-faef28e6bd654e5061561423cb1ece6ca84f1f1f.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/src/json.c b/src/json.c
index adcb69113..b28ba7ecd 100644
--- a/src/json.c
+++ b/src/json.c
@@ -2902,6 +2902,7 @@ static void jsonReplaceFunc(
   }
   pParse = jsonParseCached(ctx, argv[0], ctx, argc>1);
   if( pParse==0 ) return;
+  pParse->nJPRef++;
   for(i=1; i<(u32)argc; i+=2){
     zPath = (const char*)sqlite3_value_text(argv[i]);
     pParse->useMod = 1;
@@ -2914,6 +2915,7 @@ static void jsonReplaceFunc(
   jsonReturnJson(pParse, pParse->aNode, ctx, 1);
 replace_err:
   jsonDebugPrintParse(pParse);
+  jsonParseFree(pParse);
 }
 
 
@@ -2948,6 +2950,7 @@ static void jsonSetFunc(
   }
   pParse = jsonParseCached(ctx, argv[0], ctx, argc>1);
   if( pParse==0 ) return;
+  pParse->nJPRef++;
   for(i=1; i<(u32)argc; i+=2){
     zPath = (const char*)sqlite3_value_text(argv[i]);
     bApnd = 0;
@@ -2964,9 +2967,8 @@ static void jsonSetFunc(
   }
   jsonDebugPrintParse(pParse);
   jsonReturnJson(pParse, pParse->aNode, ctx, 1);
-
 jsonSetDone:
-  /* no cleanup required */;
+  jsonParseFree(pParse);
 }
 
 /*
author	drh <>	2023-10-09 12:46:53 +0000
committer	drh <>	2023-10-09 12:46:53 +0000
commit	faef28e6bd654e5061561423cb1ece6ca84f1f1f (patch)
tree	7a65a257f399f246ac63e30a3ee2000cdede01fa /src/json.c
parent	66dacae4c3f818d0a9e94ecb4433c823a69a98aa (diff)
download	sqlite-faef28e6bd654e5061561423cb1ece6ca84f1f1f.tar.gz sqlite-faef28e6bd654e5061561423cb1ece6ca84f1f1f.zip