Made two security fixes.

2025-04-06 02:45:02 +02:00 · 2011-05-24 00:43:59 +00:00 · 2011-05-24 00:43:59 +00:00 · a77a803c85
commit a77a803c85
parent 785ba2675d
2 changed files with 11 additions and 0 deletions
--- a/src/lib_json/json_reader.cpp
+++ b/src/lib_json/json_reader.cpp
@ -611,6 +611,11 @@ Reader::decodeDouble( Token &token )
   int count;
   int length = int(token.end_ - token.start_);

+   // Sanity check to avoid buffer overflow exploits.
+   if (length < 0) {
+      return addError( "Unable to parse token length", token );
+   }
+
   // Avoid using a string constant for the format control string given to
   // sscanf, as this can cause hard to debug crashes on OS X. See here for more
   // info:
--- a/src/lib_json/json_value.cpp
+++ b/src/lib_json/json_value.cpp
@ -56,6 +56,12 @@ duplicateStringValue( const char *value,
 {
   if ( length == unknown )
      length = (unsigned int)strlen(value);
+
+   // Avoid an integer overflow in the call to malloc below by limiting length
+   // to a sane value.
+   if (length >= (unsigned)Value::maxInt)
+      length = Value::maxInt - 1;
+
   char *newString = static_cast<char *>( malloc( length + 1 ) );
   JSON_ASSERT_MESSAGE( newString != 0, "Failed to allocate string value buffer" );
   memcpy( newString, value, length );