json_parse_ex can write in unreserved memory

[ghost]

This code can easily writes outside of the memory passed to store the error message.

I think the description of the error report memory should be described in json_settings to avoid parameter proliferation, and should include both a (possibly NULL) pointer to said memory, plus a size indication of it (either by passing a endptr or a size_t, but something). Or even better, a classic pair of callback+userdara pointers, callback would only take the error message plus userdata.
I don't know what you would prefer, but currently I consider using the error report buffer as a bug, since there is no bound checking of any sort there, and using standard C methods (memcpy, strncpy, etc) would require to bump the requirements to C99.

I'm ok to write a simple patch to fix this if the preferred method is defined before (to avoid wasting time on a patch that would be rejected).

[LB--]

Do you have an example that overflows? The json_error_max constant is defined to a value for a buffer size that is large enough to hold any error message, if you find an exception to that rule we'd like to know about it. You are right that the code you have highlighted is spooky, and there are better ways to do this, but we have to maintain compatibility with older code for now.