From 89e637a8427616a1c22ed96d05396b254f38556d Mon Sep 17 00:00:00 2001
From: DongHun Kwak <dh0128.kwak@samsung.com>
Date: Mon, 10 Jul 2017 17:26:43 +0900
Subject: [PATCH] Issue #275: fix out of bounds read when handling unicode
 surrogate pairs.

Change-Id: Ib3075623b4a251bed5e363e858a73e6913d973a4
Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
---
 json_tokener.c            | 6 +++---
 tests/test_parse.c        | 5 +++++
 tests/test_parse.expected | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/json_tokener.c b/json_tokener.c
index decbb65..611db5a 100644
--- a/json_tokener.c
+++ b/json_tokener.c
@@ -535,7 +535,7 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
 
 	  /* Handle a 4-byte sequence, or two sequences if a surrogate pair */
 	  while(1) {
-	    if(strchr(json_hex_chars, c)) {
+	    if( c && strchr(json_hex_chars, c)) {
 	      tok->ucs_char += ((unsigned int)hexdigit(c) << ((3-tok->st_pos++)*4));
 	      if(tok->st_pos == 4) {
 		unsigned char unescaped_utf[4];
@@ -566,8 +566,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
                    */
                   got_hi_surrogate = tok->ucs_char;
                   /* Not at end, and the next two chars should be "\u" */
-                  if ((tok->char_offset+1 != len) &&
-                      (tok->char_offset+2 != len) &&
+                  if ((len == -1 || len > (tok->char_offset + 2)) &&
+                      // str[0] != '0' &&  // implied by json_hex_chars, above. 
                       (str[1] == '\\') &&
                       (str[2] == 'u'))
                   {
diff --git a/tests/test_parse.c b/tests/test_parse.c
index 8808d0f..03048a7 100644
--- a/tests/test_parse.c
+++ b/tests/test_parse.c
@@ -43,6 +43,11 @@ static void test_basic_parse()
 	printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
 	json_object_put(new_obj);
 
+	// Test with a "short" high surrogate 
+	new_obj = json_tokener_parse("[9,'\\uDAD");
+	printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
+	json_object_put(new_obj);
+
 	new_obj = json_tokener_parse("null");
 	printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
 	json_object_put(new_obj);
diff --git a/tests/test_parse.expected b/tests/test_parse.expected
index d49cbbb..148c489 100644
--- a/tests/test_parse.expected
+++ b/tests/test_parse.expected
@@ -3,6 +3,7 @@ new_obj.to_string()="foo"
 new_obj.to_string()="foo"
 new_obj.to_string()="ABC"
 new_obj.to_string()=null
+new_obj.to_string()=null
 new_obj.to_string()=NaN
 new_obj.to_string()=null
 new_obj.to_string()=null
-- 
2.7.4