test_json: add another try to overflow a JSON buffer.

1 files changed, 36 insertions, 11 deletions

diff --git a/test_json.c b/test_json.c
index 35f0481b..815d0261 100644
--- a/test_json.c
+++ b/test_json.c
@@ -15,7 +15,7 @@
 #include "gps_json.h"
 
 /* GPSD is built with JSON_MINIMAL.  Any !JSON_MINIMAL tests,
- * like 16, 17 and 18 will thus fail.
+ * like 17, 18 and 19 will thus fail.
  * So this define removes them, they never execute.
  */
 #define JSON_MINIMAL
@@ -247,7 +247,6 @@ static char *json_strErr1 = "{\"class\":\"ERROR\",\"message\":\"0\\u00334\"}";
 
 /* Case 15: test buffer overflow of short string destination */
 
-// static char json_strErr2[7 * JSON_VAL_MAX];  /* dynamically built */
 static char *json_strOver = "{\"name\":\"\\u0033\\u0034\\u0035\\u0036\"}";
 
 char json_short_string_dst[2];
@@ -260,8 +259,13 @@ static const struct json_attr_t json_short_string[] = {
     {NULL},
 };
 
+/* Case 16: test buffer overflow of short string destination */
+
+static char json_strOver2[7 * JSON_VAL_MAX];  /* dynamically built */
+
+
 #ifndef JSON_MINIMAL
-/* Case 16: Read array of integers */
+/* Case 17: Read array of integers */
 
 static const char *json_strInt = "[23,-17,5]";
 static int intstore[4], intcount;
@@ -273,7 +277,7 @@ static const struct json_array_t json_array_Int = {
     .maxlen = sizeof(intstore)/sizeof(intstore[0]),
 };
 
-/* Case 17: Read array of booleans */
+/* Case 18: Read array of booleans */
 
 static const char *json_strBool = "[true,false,true]";
 static bool boolstore[4];
@@ -286,7 +290,7 @@ static const struct json_array_t json_array_Bool = {
     .maxlen = sizeof(boolstore)/sizeof(boolstore[0]),
 };
 
-/* Case 18: Read array of reals */
+/* Case 19: Read array of reals */
 
 static const char *json_strReal = "[23.1,-17.2,5.3]";
 static double realstore[4];
@@ -304,7 +308,8 @@ static const struct json_array_t json_array_Real = {
 
 static void jsontest(int i)
 {
-    int status = 0;
+    int status = 0;   /* libgps_json_unpack() returned status */
+    int n;            /* generic index */
 
     if (0 < debug) {
 	(void)fprintf(stderr, "Running test #%d.\n", i);
@@ -470,10 +475,30 @@ static void jsontest(int i)
 	assert_integer("count", json_short_string_cnt, 0);
 	break;
 
+    case 16:
+        /* check for string overrun caught */
+        json_strOver2[0] = '\0';
+        /* build a LONG test string */
+	strlcat(json_strOver2, "{\"name\":\"", sizeof(json_strOver2));
+        for (n = 0; n < (2 * JSON_VAL_MAX); n++) {
+	    strlcat(json_strOver2, "\\u0033", sizeof(json_strOver2));
+        }
+	strlcat(json_strOver2, "\"}", sizeof(json_strOver2));
+
+	if (2 < debug) {
+	    (void)fprintf(stderr, "test string: %s.\n", json_strOver);
+	}
+	json_short_string_cnt = 7;
+	status = json_read_object(json_strOver2, json_short_string, NULL);
+	assert_case(i, JSON_ERR_STRLONG != status);
+	assert_string("name", json_short_string_dst, "");
+	assert_integer("count", json_short_string_cnt, 0);
+	break;
+
 #ifdef JSON_MINIMAL
-#define MAXTEST 15
+#define MAXTEST 16
 #else
-    case 16:
+    case 17:
 	status = json_read_array(json_strInt, &json_array_Int, NULL);
 	assert_integer("count", intcount, 3);
 	assert_integer("intstore[0]", intstore[0], 23);
@@ -482,7 +507,7 @@ static void jsontest(int i)
 	assert_integer("intstore[3]", intstore[3], 0);
 	break;
 
-    case 17:
+    case 18:
 	status = json_read_array(json_strBool, &json_array_Bool, NULL);
 	assert_integer("count", boolcount, 3);
 	assert_boolean("boolstore[0]", boolstore[0], true);
@@ -491,7 +516,7 @@ static void jsontest(int i)
 	assert_boolean("boolstore[3]", boolstore[3], false);
 	break;
 
-    case 18:
+    case 19:
 	status = json_read_array(json_strReal, &json_array_Real, NULL);
 	assert_integer("count", realcount, 3);
 	assert_real("realstore[0]", realstore[0], 23.1);
@@ -500,7 +525,7 @@ static void jsontest(int i)
 	assert_real("realstore[3]", realstore[3], 0);
 	break;
 
-#define MAXTEST 18
+#define MAXTEST 19
 #endif /* JSON_MINIMAL */
 
     default: