generic-library/jsoncpp
1
0
Fork 0
mirror of https://github.com/open-source-parsers/jsoncpp.git synced 2025-06-07 01:04:55 +02:00
Code Issues Projects Releases Wiki Activity

Made two security fixes.

Browse Source
This commit is contained in:
Aaron Jacobs 2011-05-24 00:43:59 +00:00
parent 785ba2675d
commit a77a803c85
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/lib_json/json_reader.cpp
View File

@ -611,6 +611,11 @@ Reader::decodeDouble( Token &token )
int count; int count;
int length = int(token.end_ - token.start_); int length = int(token.end_ - token.start_);
// Sanity check to avoid buffer overflow exploits.
if (length < 0) {
return addError( "Unable to parse token length", token );
}
// Avoid using a string constant for the format control string given to // Avoid using a string constant for the format control string given to
// sscanf, as this can cause hard to debug crashes on OS X. See here for more // sscanf, as this can cause hard to debug crashes on OS X. See here for more
// info: // info:

6
src/lib_json/json_value.cpp
View File

@ -56,6 +56,12 @@ duplicateStringValue( const char *value,
{ {
if ( length == unknown ) if ( length == unknown )
length = (unsigned int)strlen(value); length = (unsigned int)strlen(value);
// Avoid an integer overflow in the call to malloc below by limiting length
// to a sane value.
if (length >= (unsigned)Value::maxInt)
length = Value::maxInt - 1;
char *newString = static_cast<char *>( malloc( length + 1 ) ); char *newString = static_cast<char *>( malloc( length + 1 ) );
JSON_ASSERT_MESSAGE( newString != 0, "Failed to allocate string value buffer" ); JSON_ASSERT_MESSAGE( newString != 0, "Failed to allocate string value buffer" );
memcpy( newString, value, length ); memcpy( newString, value, length );