Fix use-after-free if prerequisite has null offVariation (#214)

cwaldren-ld · web-flow · commit 61f186a4da49 · 2022-10-11T16:20:50.000-07:00
* Fix null pointer causing segfault within event processor

* Add unit test for use-after-free

* Fix memory leak due to failure to clear LDDetails
diff --git a/src/evaluate.c b/src/evaluate.c
@@ -200,6 +200,9 @@ static LDBoolean  addValue(
     LD_ASSERT(o_error);
 
     if(!getValue(flag, result, index, o_error, &validatedVariationIndex)) {
+
+        LDDetailsClear(details);
+
         *result               = NULL;
         details->hasVariation = LDBooleanFalse;
         details->reason = LD_ERROR;
diff --git a/src/variations.c b/src/variations.c
@@ -329,6 +329,7 @@ variation(
             detailsRef->extra.errorKind = LD_MALFORMED_FLAG;
 
             LDJSONFree(subEvents);
+            subEvents = NULL;
 
             /* In this case the value will be null, so after LDi_processEvaluation the value will be checked,
              * and then it will move on to the error condition. */
diff --git a/tests/test-variations.cpp b/tests/test-variations.cpp
@@ -385,3 +385,88 @@ TEST_F(VariationsFixture, OffWithUndefinedOffVariation) {
     LDClientClose(client);
     LDDetailsClear(&details);
 }
+
+
+TEST_F(VariationsFixture, TestNullOffVariationInPrerequisiteDoesNotCauseUseAfterFree) {
+    struct LDJSON *flag;
+    struct LDDetails details;
+    struct LDClient *client;
+    struct LDUser *user = LDUserNew("foo");
+
+    ASSERT_TRUE(client = makeTestClient());
+
+    LDDetailsInit(&details);
+
+    ASSERT_TRUE(flag = LDNewObject());
+    ASSERT_TRUE(LDObjectSetKey(flag, "clientSide", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(flag, "debugEventsUntilDate", LDNewNull()));
+    ASSERT_TRUE(LDObjectSetKey(flag, "deleted", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(flag, "key", LDNewText("streaming.03.featureKey")));
+    ASSERT_TRUE(LDObjectSetKey(flag, "on", LDNewBool(LDBooleanTrue)));
+    ASSERT_TRUE(LDObjectSetKey(flag, "salt", LDNewText("")));
+    ASSERT_TRUE(LDObjectSetKey(flag, "offVariation", LDNewNull()));
+    ASSERT_TRUE(LDObjectSetKey(flag, "trackEvents", LDNewBool(LDBooleanTrue)));
+    ASSERT_TRUE(LDObjectSetKey(flag, "trackEventsFallthrough", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(flag, "targets", LDNewArray()));
+    ASSERT_TRUE(LDObjectSetKey(flag, "rules", LDNewArray()));
+    ASSERT_TRUE(LDObjectSetKey(flag, "version", LDNewNumber(0)));
+
+
+    struct LDJSON *variations = LDNewArray();
+    ASSERT_TRUE(LDArrayPush(variations, LDNewText("A")));
+    ASSERT_TRUE(LDArrayPush(variations, LDNewText("B")));
+
+    ASSERT_TRUE(LDObjectSetKey(flag, "variations", variations));
+
+    struct LDJSON *fallthrough;
+    ASSERT_TRUE(fallthrough = LDNewObject());
+    ASSERT_TRUE(LDObjectSetKey(fallthrough, "variation", LDNewNumber(0)));
+    ASSERT_TRUE(LDObjectSetKey(flag, "fallthrough", fallthrough));
+
+    struct LDJSON *prerequisites = LDNewArray();
+    struct LDJSON *prereq = LDNewObject();
+    ASSERT_TRUE(LDObjectSetKey(prereq, "key", LDNewText("streaming.03.prereqFeatureKey")));
+    ASSERT_TRUE(LDObjectSetKey(prereq, "variation", LDNewNumber(0)));
+    ASSERT_TRUE(LDArrayPush(prerequisites, prereq));
+
+    ASSERT_TRUE(LDObjectSetKey(flag, "prerequisites", prerequisites));
+
+    struct LDJSON *prerequisite = LDNewObject();
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "clientSide", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "debugEventsUntilDate", LDNewNull()));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "deleted", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "key", LDNewText("streaming.03.prereqFeatureKey")));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "offVariation", LDNewNull()));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "on", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "prerequisites", LDNewArray()));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "rules", LDNewArray()));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "salt", LDNewText("")));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "trackEvents", LDNewBool(LDBooleanTrue)));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "trackEventsFallthrough", LDNewBool(LDBooleanFalse)));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "targets", LDNewArray()));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "version", LDNewNumber(0)));
+
+    struct LDJSON *pfallthrough;
+    ASSERT_TRUE(pfallthrough = LDNewObject());
+    ASSERT_TRUE(LDObjectSetKey(pfallthrough, "variation", LDNewNumber(0)));
+    ASSERT_TRUE(LDObjectSetKey(prerequisite, "fallthrough", pfallthrough));
+
+    struct LDJSON *pvariations = LDNewArray();
+    LDArrayPush(pvariations, LDNewText("first"));
+    LDArrayPush(pvariations, LDNewText("second"));
+
+    LDObjectSetKey(prerequisite, "variations", pvariations);
+
+    ASSERT_TRUE(LDStoreInitEmpty(client->store));
+
+    LDStoreUpsert(client->store, LD_FLAG, prerequisite);
+    LDStoreUpsert(client->store, LD_FLAG, flag);
+
+    char *result = LDStringVariation(client, user, "streaming.03.featureKey", "default", &details);
+
+    LDUserFree(user);
+    LDDetailsClear(&details);
+    LDFree(result);
+    LDClientClose(client);
+
+}
