granicus.if.org Git - json-c/commit

author	Tobias Stoeckmann <tobias@stoeckmann.org>
	Sat, 16 May 2020 11:01:10 +0000 (13:01 +0200)
committer	Tobias Stoeckmann <tobias@stoeckmann.org>
	Sat, 16 May 2020 13:26:16 +0000 (15:26 +0200)
commit	5385a566db80428c39c80abbf48f35f59760e975
tree	ab8c4e72d390a0518e200fd4d3ed2bdf1a6a389f	tree \| snapshot
parent	0a3d22b9bb58dfbba8b0ab25b9fb14fdf6136f49	commit \| diff

Prevent truncation on custom double formatters.

A custom double formatter can lead to truncation of the rest of the
JSON document.

If a custom formatter completely fills the buffer used by snprintf
with a trailing dot or comma and the formatting option
JSON_C_TO_STRING_NOZERO has been specified, then an iterator moves
past the ending '\0' (off-by-one buffer overflow) to set an
additional '\0' and adds the first '\0' into the printbuf.

Since '\0' will eventually be considered the terminating character
of the complete printbuf result, all trailing characters are lost.

This leads to an incomplete JSON string as can be seen with the
test case.

The off-by-one can be noticed if compiled with address sanitizer.

Since this is a very special case and a malformed formatter could
do way more harm and is the responsibility of the user of this
library, this is just a protective measure to keep json-c code as
robust as possible.

json_object.c		diff \| blob \| history
tests/test_set_serializer.c		diff \| blob \| history
tests/test_set_serializer.expected		diff \| blob \| history