Fix CVE-2018-10756:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10756

Patch copied from Fedora:

https://src.fedoraproject.org/rpms/transmission/blob/master/f/2123adf8e5e1c2b48791f9d22fc8c747e974180e.patch

--- a/libtransmission/variant.c	2018-05-01 12:21:08.000000000 -0500
+++ b/libtransmission/variant.c	2020-05-18 10:21:27.554214128 -0500
@@ -820,7 +820,7 @@
 struct SaveNode
 {
   const tr_variant * v;
-  tr_variant sorted;
+  tr_variant* sorted;
   size_t childIndex;
   bool isVisited;
 };
@@ -849,26 +849,33 @@
 
       qsort (tmp, n, sizeof (struct KeyIndex), compareKeyIndex);
 
-      tr_variantInitDict (&node->sorted, n);
+      node->sorted = tr_new(tr_variant, 1);
+      tr_variantInitDict (node->sorted, n);
       for (i=0; i<n; ++i)
-        node->sorted.val.l.vals[i] = *tmp[i].val;
+        node->sorted->val.l.vals[i] = *tmp[i].val;
       node->sorted.val.l.count = n;
 
       tr_free (tmp);
 
-      node->v = &node->sorted;
+      v = node->sorted;
     }
   else
     {
-      node->v = v;
+      node->sorted = NULL;
     }
+    
+    node->v = v;
 }
 
 static void
 nodeDestruct (struct SaveNode * node)
 {
-  if (node->v == &node->sorted)
-    tr_free (node->sorted.val.l.vals);
+    //TR_ASSERT(node != NULL);
+    if (node->sorted != NULL)
+    {
+        tr_free(node->sorted->val.l.vals);
+        tr_free(node->sorted);    
+    }
 }
 
 /**
--- a/libtransmission/variant.c	2020-05-18 10:21:49.000000000 -0500
+++ b/libtransmission/variant.c	2020-05-18 10:24:34.673648865 -0500
@@ -853,7 +853,7 @@
       tr_variantInitDict (node->sorted, n);
       for (i=0; i<n; ++i)
         node->sorted->val.l.vals[i] = *tmp[i].val;
-      node->sorted.val.l.count = n;
+      node->sorted->val.l.count = n;
 
       tr_free (tmp);