From 0ec4e86f14a0b801cee4a707f51245a6b735fef2 Mon Sep 17 00:00:00 2001
From: StilesCrisis <johnstiles@John-Stiles-iMac.local>
Date: Mon, 27 Feb 2017 23:06:05 -0800
Subject: [PATCH 1/2] Unit test

Add unit test for Issue 848 (segfault in ~Document)
---
 test/unittest/schematest.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/test/unittest/schematest.cpp b/test/unittest/schematest.cpp
index 4780516..30b3260 100644
--- a/test/unittest/schematest.cpp
+++ b/test/unittest/schematest.cpp
@@ -1281,6 +1281,12 @@ TEST(SchemaValidatingWriter, Simple) {
     EXPECT_TRUE(validator.GetInvalidDocumentPointer() == SchemaDocument::PointerType(""));
 }
 
+TEST(Schema, Issue848) {
+    rapidjson::Document d;
+    rapidjson::SchemaDocument s(d);
+    rapidjson::GenericSchemaValidator<rapidjson::SchemaDocument, rapidjson::Document> v(s);
+}
+
 #if RAPIDJSON_HAS_CXX11_RVALUE_REFS
 
 static SchemaDocument ReturnSchemaDocument() {

From 4643104b8a0424f8f645b2777fbcdccf9a17acbf Mon Sep 17 00:00:00 2001
From: StilesCrisis <johnstiles@John-Stiles-iMac.local>
Date: Mon, 27 Feb 2017 23:28:25 -0800
Subject: [PATCH 2/2] Fix null handler construction

We should not malloc the null-handler object and cast to OutputHandler;
we need to actually invoke the constructor via placement new.
---
 include/rapidjson/schema.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/rapidjson/schema.h b/include/rapidjson/schema.h
index c20a838..3dddd3a 100644
--- a/include/rapidjson/schema.h
+++ b/include/rapidjson/schema.h
@@ -1928,7 +1928,7 @@ private:
     const Context& CurrentContext() const { return *schemaStack_.template Top<Context>(); }
 
     OutputHandler& CreateNullHandler() {
-        return *(nullHandler_ = static_cast<OutputHandler*>(GetStateAllocator().Malloc(sizeof(OutputHandler))));
+        return *(nullHandler_ = new (GetStateAllocator().Malloc(sizeof(OutputHandler))) OutputHandler);
     }
 
     static const size_t kDefaultSchemaStackCapacity = 1024;