diff options
author | Eric S. Raymond <esr@thyrsus.com> | 2018-06-15 13:26:28 -0400 |
---|---|---|
committer | Eric S. Raymond <esr@thyrsus.com> | 2018-06-15 13:26:28 -0400 |
commit | 7646cbd04055a50b157312ba6b376e88bd398c19 (patch) | |
tree | ab1771d463eec4aad980e7a41e7f5144ec8f3248 /json.c | |
parent | bdf047fefaf6d158ebd628381471a3047c982015 (diff) | |
download | gpsd-7646cbd04055a50b157312ba6b376e88bd398c19.tar.gz |
Add bounds check in in_escape state of JSON parser.
Diffstat (limited to 'json.c')
-rw-r--r-- | json.c | 8 |
1 files changed, 7 insertions, 1 deletions
@@ -375,6 +375,12 @@ static int json_internal_read_object(const char *cp, if (pval == NULL) /* don't update end here, leave at value start */ return JSON_ERR_NULLPTR; + else if (pval > valbuf + JSON_VAL_MAX - 1 + || pval > valbuf + maxlen) { + json_debug_trace((1, "String value too long.\n")); + /* don't update end here, leave at value start */ + return JSON_ERR_STRLONG; /* */ + } switch (*cp) { case 'b': *pval++ = '\b'; @@ -400,7 +406,7 @@ static int json_internal_read_object(const char *cp, if (1 != sscanf(uescape, "%4x", &u)) { return JSON_ERR_BADSTRING; } - *pval++ = (char)u; /* will truncate values above 0xff */ + *pval++ = (unsigned char)u; /* will truncate values above 0xff */ break; default: /* handles double quote and solidus */ *pval++ = *cp; |