json: Fix buffer overflow in cJSON.c

* src/cJSON.c (parse_string): Correctly detect bad hex. -- The call to parse_hex4 checks that only hex digits follow and in the error case returns 0. However, by the time of the combined check for an invalid value and the error PTR has already been set to the last hex character and thus if the end-of-string or a quote character was one of the bad hex digits the loop will miss the end of the string which does not match with the simple buffer length allocation test at the begin of the function. Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-16 12:34:52 +02:00 · 2018-07-16 12:34:52 +02:00 · 013a7f47ab
commit 013a7f47ab
parent 1bb3f8409d
1 changed files with 8 additions and 3 deletions
--- a/src/cJSON.c
+++ b/src/cJSON.c
@ -275,17 +275,22 @@ parse_string (cJSON * item, const char *str, const char **ep)
 	      break;
 	    case 'u':		/* transcode utf16 to utf8. */
 	      uc = parse_hex4 (ptr + 1);
+              if (!uc)
+                break;          /* Bad hex; continue right after the 'u'. */
 	      ptr += 4;		/* get the unicode char. */

-	      if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0)
+	      if ((uc >= 0xDC00 && uc <= 0xDFFF))
 		break;		/* check for invalid.   */

 	      if (uc >= 0xD800 && uc <= 0xDBFF)	/* UTF16 surrogate pairs. */
 		{
 		  if (ptr[1] != '\\' || ptr[2] != 'u')
 		    break;	/* missing second-half of surrogate.    */
-		  uc2 = parse_hex4 (ptr + 3);
-		  ptr += 6;
+                  ptr += 2;
+		  uc2 = parse_hex4 (ptr + 1);
+                  if (!uc2)
+                    break;      /* Bad hex; continue right after the 'u'. */
+		  ptr += 4;
 		  if (uc2 < 0xDC00 || uc2 > 0xDFFF)
 		    break;	/* invalid second-half of surrogate.    */
 		  uc = 0x10000 + (((uc & 0x3FF) << 10) | (uc2 & 0x3FF));