From 6ef1c269792ece2842f65b4b6966ebac3b21a8e3 Mon Sep 17 00:00:00 2001
From: Nikias Bassen
Date: Fri, 28 Jan 2022 22:06:02 +0100
Subject: jplist: Fix use-after-free in unescape_string

Credit to OSS-Fuzz
---
 src/jplist.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/jplist.c b/src/jplist.c
index cb29742..ace4bff 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -496,13 +496,13 @@ static char* unescape_string(const char* str_val, size_t str_len, size_t *new_le
                 case 'u': {
                     unsigned int val = 0;
                     if (str_len-(i+2) < 4) {
-                        free(strval);
                         PLIST_JSON_ERR("%s: invalid escape sequence '%s' (too short)\n", __func__, strval+i);
+                        free(strval);
                         return NULL;
                     }
                     if (!(isxdigit(strval[i+2]) && isxdigit(strval[i+3]) && isxdigit(strval[i+4]) && isxdigit(strval[i+5])) || sscanf(strval+i+2, "%04x", &val) != 1) {
-                        free(strval);
                         PLIST_JSON_ERR("%s: invalid escape sequence '%.*s'\n", __func__, 6, strval+i);
+                        free(strval);
                         return NULL;
                     }
                     int bytelen = 0;
-- 
cgit v1.1-32-gdbae