projects / platform / upstream / json-c.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 825c1f5)
Issue #275: fix out of bounds read when handling unicode surrogate pairs. 08/137908/1 accepted/tizen_4.0_unified tizen_4.0 tizen_4.0_tv accepted/tizen/4.0/unified/20170816.013752 accepted/tizen/4.0/unified/20170828.222916 accepted/tizen/unified/20170712.164932 submit/tizen/20170711.011459 submit/tizen_4.0/20170811.094300 submit/tizen_4.0/20170828.100006 tizen_4.0.IoT.p1_release tizen_4.0.IoT.p2_release tizen_4.0.m2_release
authorDongHun Kwak <dh0128.kwak@samsung.com>
Mon, 10 Jul 2017 08:26:43 +0000 (17:26 +0900)
committerDongHun Kwak <dh0128.kwak@samsung.com>
Mon, 10 Jul 2017 08:26:43 +0000 (17:26 +0900)
Change-Id: Ib3075623b4a251bed5e363e858a73e6913d973a4
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
json_tokener.c patch | blob | history
tests/test_parse.c patch | blob | history
tests/test_parse.expected patch | blob | history

diff --git a/json_tokener.c b/json_tokener.c
index decbb65..611db5a 100644 (file)
--- a/json_tokener.c
+++ b/json_tokener.c
@@ -535,7 +535,7 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
 
          /* Handle a 4-byte sequence, or two sequences if a surrogate pair */
          while(1) {
-           if(strchr(json_hex_chars, c)) {
+           if( c && strchr(json_hex_chars, c)) {
              tok->ucs_char += ((unsigned int)hexdigit(c) << ((3-tok->st_pos++)*4));
              if(tok->st_pos == 4) {
                unsigned char unescaped_utf[4];
@@ -566,8 +566,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
                    */
                   got_hi_surrogate = tok->ucs_char;
                   /* Not at end, and the next two chars should be "\u" */
-                  if ((tok->char_offset+1 != len) &&
-                      (tok->char_offset+2 != len) &&
+                  if ((len == -1 || len > (tok->char_offset + 2)) &&
+                      // str[0] != '0' &&  // implied by json_hex_chars, above. 
                       (str[1] == '\\') &&
                       (str[2] == 'u'))
                   {
diff --git a/tests/test_parse.c b/tests/test_parse.c
index 8808d0f..03048a7 100644 (file)
--- a/tests/test_parse.c
+++ b/tests/test_parse.c
@@ -43,6 +43,11 @@ static void test_basic_parse()
        printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
        json_object_put(new_obj);
 
+       // Test with a "short" high surrogate 
+       new_obj = json_tokener_parse("[9,'\\uDAD");
+       printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
+       json_object_put(new_obj);
+
        new_obj = json_tokener_parse("null");
        printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
        json_object_put(new_obj);
diff --git a/tests/test_parse.expected b/tests/test_parse.expected
index d49cbbb..148c489 100644 (file)
--- a/tests/test_parse.expected
+++ b/tests/test_parse.expected
@@ -3,6 +3,7 @@ new_obj.to_string()="foo"
 new_obj.to_string()="foo"
 new_obj.to_string()="ABC"
 new_obj.to_string()=null
+new_obj.to_string()=null
 new_obj.to_string()=NaN
 new_obj.to_string()=null
 new_obj.to_string()=null
Domain: System / Base;