json: Fix buffer overflow in cJSON.c

* src/cJSON.c (parse_string): Correctly detect bad hex.
--

The call to parse_hex4 checks that only hex digits follow and in the
error case returns 0.  However, by the time of the combined check for
an invalid value and the error PTR has already been set to the last
hex character and thus if the end-of-string or a quote character was
one of the bad hex digits the loop will miss the end of the string
which does not match with the simple buffer length allocation test at
the begin of the function.

Signed-off-by: Werner Koch <[email protected]>

1 files changed, 8 insertions, 3 deletions

diff --git a/src/cJSON.c b/src/cJSON.c
index 38cb1523..610ff928 100644
--- a/src/cJSON.c
+++ b/src/cJSON.c
@@ -275,17 +275,22 @@ parse_string (cJSON * item, const char *str, const char **ep)
 	      break;
 	    case 'u':		/* transcode utf16 to utf8. */
 	      uc = parse_hex4 (ptr + 1);
+              if (!uc)
+                break;          /* Bad hex; continue right after the 'u'. */
 	      ptr += 4;		/* get the unicode char. */
 
-	      if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0)
+	      if ((uc >= 0xDC00 && uc <= 0xDFFF))
 		break;		/* check for invalid.   */
 
 	      if (uc >= 0xD800 && uc <= 0xDBFF)	/* UTF16 surrogate pairs. */
 		{
 		  if (ptr[1] != '\\' || ptr[2] != 'u')
 		    break;	/* missing second-half of surrogate.    */
-		  uc2 = parse_hex4 (ptr + 3);
-		  ptr += 6;
+                  ptr += 2;
+		  uc2 = parse_hex4 (ptr + 1);
+                  if (!uc2)
+                    break;      /* Bad hex; continue right after the 'u'. */
+		  ptr += 4;
 		  if (uc2 < 0xDC00 || uc2 > 0xDFFF)
 		    break;	/* invalid second-half of surrogate.    */
 		  uc = 0x10000 + (((uc & 0x3FF) << 10) | (uc2 & 0x3FF));