From 8230f8fc9bef1cfc565931257fda71605b780dd5 Mon Sep 17 00:00:00 2001
From: Benoit Blanchon <github@benoitblanchon.fr>
Date: Fri, 12 Oct 2018 21:00:00 +0200
Subject: [PATCH] Restored JsonVariantLocal to fix the use-after-free

---
 src/ArduinoJson/JsonVariant.hpp                 | 11 +++++++++++
 src/ArduinoJson/MsgPack/MsgPackDeserializer.hpp |  3 +--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/ArduinoJson/JsonVariant.hpp b/src/ArduinoJson/JsonVariant.hpp
index e611ea52..96c63e7f 100644
--- a/src/ArduinoJson/JsonVariant.hpp
+++ b/src/ArduinoJson/JsonVariant.hpp
@@ -321,4 +321,15 @@ class JsonVariantConst : public JsonVariantProxy<const JsonVariantData>,
     return JsonVariantConst(objectGet(variantAsObject(_data), makeString(key)));
   }
 };
+
+class JsonVariantLocal : public JsonVariant {
+ public:
+  explicit JsonVariantLocal(MemoryPool *memoryPool)
+      : JsonVariant(memoryPool, &_localData) {
+    _localData.type = JSON_NULL;
+  }
+
+ private:
+  JsonVariantData _localData;
+};
 }  // namespace ARDUINOJSON_NAMESPACE
diff --git a/src/ArduinoJson/MsgPack/MsgPackDeserializer.hpp b/src/ArduinoJson/MsgPack/MsgPackDeserializer.hpp
index 936c3075..92e87e29 100644
--- a/src/ArduinoJson/MsgPack/MsgPackDeserializer.hpp
+++ b/src/ArduinoJson/MsgPack/MsgPackDeserializer.hpp
@@ -278,8 +278,7 @@ class MsgPackDeserializer {
     if (_nestingLimit == 0) return DeserializationError::TooDeep;
     --_nestingLimit;
     for (; n; --n) {
-      JsonVariantData keyData;
-      JsonVariant key(_memoryPool, &keyData);
+      JsonVariantLocal key(_memoryPool);
       DeserializationError err = parse(key);
       if (err) return err;
       if (!key.is<char *>()) return DeserializationError::NotSupported;