Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitd3117fc

Browse files
committed
Fix out-of-bounds read in json_lex_string
Commit3838fa2 added a lookahead loop to allow building strings multiplebytes at a time. This loop could exit because it reached the end of input,yet did not check for that before checking if we reached the end of avalid string. To fix, put the end of string check back in the outer loop.Per Valgrind animal skink
1 parent3b00a94 commitd3117fc

File tree

1 file changed

+10
-8
lines changed

1 file changed

+10
-8
lines changed

‎src/common/jsonapi.c

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -686,6 +686,8 @@ json_lex_string(JsonLexContext *lex)
686686
lex->token_terminator=s;
687687
returnJSON_INVALID_TOKEN;
688688
}
689+
elseif (*s=='"')
690+
break;
689691
elseif (*s=='\\')
690692
{
691693
/* OK, we have an escape character. */
@@ -870,21 +872,21 @@ json_lex_string(JsonLexContext *lex)
870872
if (lex->strval!=NULL)
871873
appendBinaryStringInfo(lex->strval,s,p-s);
872874

873-
if (*p=='"')
874-
{
875-
/* Hooray, we found the end of the string! */
876-
lex->prev_token_terminator=lex->token_terminator;
877-
lex->token_terminator=p+1;
878-
returnJSON_SUCCESS;
879-
}
880-
881875
/*
882876
* s will be incremented at the top of the loop, so set it to just
883877
* behind our lookahead position
884878
*/
885879
s=p-1;
886880
}
887881
}
882+
883+
if (hi_surrogate!=-1)
884+
returnJSON_UNICODE_LOW_SURROGATE;
885+
886+
/* Hooray, we found the end of the string! */
887+
lex->prev_token_terminator=lex->token_terminator;
888+
lex->token_terminator=s+1;
889+
returnJSON_SUCCESS;
888890
}
889891

890892
/*

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp