Add bounds check in in_escape state of JSON parser.

author: Eric S. Raymond <esr@thyrsus.com> 2018-06-15 13:26:28 -0400
committer: Eric S. Raymond <esr@thyrsus.com> 2018-06-15 13:26:28 -0400
commit: 7646cbd04055a50b157312ba6b376e88bd398c19 (patch)
tree: ab1771d463eec4aad980e7a41e7f5144ec8f3248 /json.c
parent: bdf047fefaf6d158ebd628381471a3047c982015 (diff)
download: gpsd-7646cbd04055a50b157312ba6b376e88bd398c19.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/json.c b/json.c
index c97fd161..1d3c4cd9 100644
--- a/json.c
+++ b/json.c
@@ -375,6 +375,12 @@ static int json_internal_read_object(const char *cp,
 	    if (pval == NULL)
 		/* don't update end here, leave at value start */
 		return JSON_ERR_NULLPTR;
+	    else if (pval > valbuf + JSON_VAL_MAX - 1
+		       || pval > valbuf + maxlen) {
+		json_debug_trace((1, "String value too long.\n"));
+		/* don't update end here, leave at value start */
+		return JSON_ERR_STRLONG;	/*  */
+	    }
 	    switch (*cp) {
 	    case 'b':
 		*pval++ = '\b';
@@ -400,7 +406,7 @@ static int json_internal_read_object(const char *cp,
 		if (1 != sscanf(uescape, "%4x", &u)) {
 		    return JSON_ERR_BADSTRING;
                 }
-		*pval++ = (char)u;  /* will truncate values above 0xff */
+		*pval++ = (unsigned char)u;  /* will truncate values above 0xff */
 		break;
 	    default:		/* handles double quote and solidus */
 		*pval++ = *cp;
author	Eric S. Raymond <esr@thyrsus.com>	2018-06-15 13:26:28 -0400
committer	Eric S. Raymond <esr@thyrsus.com>	2018-06-15 13:26:28 -0400
commit	7646cbd04055a50b157312ba6b376e88bd398c19 (patch)
tree	ab1771d463eec4aad980e7a41e7f5144ec8f3248 /json.c
parent	bdf047fefaf6d158ebd628381471a3047c982015 (diff)
download	gpsd-7646cbd04055a50b157312ba6b376e88bd398c19.tar.gz