Fix a buffer overflow in upstream cJSON.

This is DaveGamble/cJSON#30, and fixes issue #466.
esnet · Oct 5, 2016 · d99a69f · d99a69f
1 parent 1a756a9
commit d99a69f
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/src/cjson.c b/src/cjson.c
@@ -204,9 +204,20 @@ static const char *parse_string(cJSON *item,const char *str,const char **ep)
 {
 	const char *ptr=str+1,*end_ptr=str+1;char *ptr2;char *out;int len=0;unsigned uc,uc2;
 	if (*str!='\"') {*ep=str;return 0;}	/* not a string! */
-
-	while (*end_ptr!='\"' && *end_ptr && ++len) if (*end_ptr++ == '\\') end_ptr++;	/* Skip escaped quotes. */
-
+
+	while (*end_ptr!='\"' && *end_ptr && ++len)
+	{
+	    if (*end_ptr++ == '\\')
+	    {
+		if (*end_ptr == '\0')
+		{
+		    /* prevent buffer overflow when last input character is a backslash */
+		    return 0;
+		}
+		end_ptr++;	/* Skip escaped quotes. */
+	    }
+	}
+
 	out=(char*)cJSON_malloc(len+1);	/* This is how long we need for the string, roughly. */
 	if (!out) return 0;
 	item->valuestring=out; /* assign here so out will be deleted during cJSON_Delete() later */