GenericValue::FindMember: avoid buffer overflow

In GenericValue::FindMember, the 'name' argument may be dereferenced beyond its length, depending on the lengths of the currently existing member names in the JSON object. Instead of unconditionally dereferencing the given string, check for its length first and skip comparisons for different lengths. Fixes http://code.google.com/p/rapidjson/issues/detail?id=108.
pah · Apr 23, 2014 · f86af8c · f86af8c
1 parent 4c0265c
commit f86af8c
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/include/rapidjson/document.h b/include/rapidjson/document.h
@@ -289,9 +289,10 @@ class GenericValue {
 		RAPIDJSON_ASSERT(name);
 		RAPIDJSON_ASSERT(IsObject());
 
+		SizeType len = internal::StrLen(name);
 		Object& o = data_.o;
 		for (Member* member = o.members; member != data_.o.members + data_.o.size; ++member)
-			if (name[member->name.data_.s.length] == '\0' && memcmp(member->name.data_.s.str, name, member->name.data_.s.length * sizeof(Ch)) == 0)
+			if (member->name.data_.s.length == len && memcmp(member->name.data_.s.str, name, len * sizeof(Ch)) == 0)
 				return member;
 
 		return 0;