Empty strings and unicode zero values break json parsing. #53

Closed
SamB opened this Issue Dec 1, 2012 · 1 comment

2 participants

@SamB

Forwarded from http://bugs.debian.org/687269, reported by Vincent Sanders <vince@debian.org>:

Package: libjson0
Version: 0.10-1.1
Severity: important

If the input JSON contains empty value (i.e. "") The internal string
buffer is unterminated and unexpected behaviour occours.

If the unicode value \u0000 appears in the input the string is
terminated early and the string is truncated.

The attached patch fixes these issues.

Index: json-c-0.10/json_object.c
===================================================================
--- json-c-0.10.orig/json_object.c  2012-04-29 10:55:43.000000000 -0700
+++ json-c-0.10/json_object.c   2012-08-30 11:26:08.000000000 -0700
@@ -531,8 +531,9 @@
   if(!jso) return NULL;
   jso->_delete = &json_object_string_delete;
   jso->_to_json_string = &json_object_string_to_json_string;
-  jso->o.c_string.str = malloc(len);
+  jso->o.c_string.str = malloc(len + 1);
   memcpy(jso->o.c_string.str, (void *)s, len);
+  jso->o.c_string.str[len] = '\0';
   jso->o.c_string.len = len;
   return jso;
 }
Index: json-c-0.10/json_tokener.c
===================================================================
--- json-c-0.10.orig/json_tokener.c 2012-04-29 10:55:43.000000000 -0700
+++ json-c-0.10/json_tokener.c  2012-08-30 11:22:29.000000000 -0700
@@ -387,7 +387,7 @@
    while(1) {
      if(c == tok->quote_char) {
        printbuf_memappend_fast(tok->pb, case_start, str-case_start);
-       current = json_object_new_string(tok->pb->buf);
+       current = json_object_new_string_len(tok->pb->buf, tok->pb->bpos);
        saved_state = json_tokener_state_finish;
        state = json_tokener_state_eatws;
        break;

(I'm not sure about the validity of the report, but it surely isn't a problem with Debian's packaging, and may indicate something about the documentation, so...)

@hawicz hawicz added a commit that referenced this issue Dec 9, 2012
@hawicz hawicz Fix issue #53 - ensure explicit length string are still NUL terminate…
…d, and fix json_tokener_parse() to work properly with embedded unicode \u0000 values in strings.

Adjust test_null to check for this case.
See also http://bugs.debian.org/687269
4e4af93
@hawicz
json-c member

Fixed. Thanks for the bug report!

@hawicz hawicz closed this Dec 9, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment