Overwriting terminated null character

[smorzhov]

json/src/json.hpp

Line 4684 in ec7a1d8

result[pos] = '\\';

I think it's better to check here the size of result and do something like:

if (result.size() > pos) {
    // overwrite trailing null character
    result[pos] = '\\';
}

[nlohmann]

I'm not sure if I understand your proposal. Here is the original code for reference:

if (c >= 0x00 and c <= 0x1f)
{
    // print character c as \uxxxx
    sprintf(&result[pos + 1], "u%04x", int(c));
    pos += 6;
    // overwrite trailing null character
    result[pos] = '\\';
}

The string result has already the correct size and contains entirely of slashes. Therefore, we can start writing the u1234 output at pos+1 to have \u1234. sprintf null-terminates the string, so result[pos] is a null byte. As later escapings rely on slashes in result, we overwrite that null byte with a slash.

[smorzhov]

Let's see what's going on if we have "\x01" string. extra_space for that string will return 5. So result in escape_string will be of size 6 (1 + 5). And at the end you are doing result[6] = '\\';. Isn't this an attempt to write out of memory?

[smorzhov]

Sorry, accidentally closed the issue

[nlohmann]

I just realized that the code you refer to is nearly 6 years old and has since been changed several times. See https://github.com/nlohmann/json/blob/develop/include/nlohmann/detail/output/serializer.hpp#L449 for the current implementation which looks much different to the previous one.