Use-after-free in sentry__value_merge_objects on allocation failure

[jpnurmi]

Title: Use-after-free in sentry__value_merge_objects on allocation failure

sentry__value_merge_objects() can corrupt the source object when sentry_value_set_by_key() fails due to OOM. The source object is left with a dangling pointer to freed memory.

The incref happens after sentry_value_set_by_key:

sentry-native/src/sentry_value.c

Lines 1114 to 1118 in f230fa2

	} else if (sentry_value_is_null(dst_val)) {
	if (sentry_value_set_by_key(dst, key, src_val) != 0) {
	return 1;
	}
	sentry_value_incref(src_val);

But set_by_key decrefs the value on failure:

sentry-native/src/sentry_value.c

Lines 670 to 672 in f230fa2

	fail:
	sentry_value_decref(v);
	return 1;

If the source value has refcount 1, the decref frees it and the source object is left with a dangling pointer.

sentry__value_clone does it correctly — incref before set_by_key:

sentry-native/src/sentry_value.c

Lines 816 to 817 in f230fa2

	sentry_value_incref(obj->pairs[i].v);
	sentry_value_set_by_key(rv, obj->pairs[i].k, obj->pairs[i].v);

The affected function is called from sentry__scope_apply_to_event to merge the global scope's tags, extra, and propagation context into events. On OOM, this corrupts the global scope, affecting all subsequent event captures.

Possible fix: swap the incref to before set_by_key, matching the pattern in sentry__value_clone.

[linear]

NATIVE-169