Heap buffer overflow in tokenadd() (fix #105)

author Nicolas Williams <nico@cryptonector.com>

Sat, 24 Oct 2015 22:24:57 +0000 (17:24 -0500)

committer Nicolas Williams <nico@cryptonector.com>

Sat, 24 Oct 2015 22:27:56 +0000 (17:27 -0500)
author Nicolas Williams <nico@cryptonector.com>
Sat, 24 Oct 2015 22:24:57 +0000 (17:24 -0500)
committer Nicolas Williams <nico@cryptonector.com>
Sat, 24 Oct 2015 22:27:56 +0000 (17:27 -0500)
diff --git a/src/jv_parse.c b/src/jv_parse.c

index 3102ed4fbc1e62a6da40fd0d182a1fac97ac6857..84245b867e5d8a1f1fc4e22cb1ee46e53da075df 100644 (file)
--- a/src/jv_parse.c
+++ b/src/jv_parse.c
@@ -383,7 +383,7 @@ static pfunc stream_token(struct jv_parser* p, char ch) {
  
  static void tokenadd(struct jv_parser* p, char c) {
    assert(p->tokenpos <= p->tokenlen);
-  if (p->tokenpos == p->tokenlen) {
+  if (p->tokenpos >= (p->tokenlen - 1)) {
      p->tokenlen = p->tokenlen*2 + 256;
      p->tokenbuf = jv_mem_realloc(p->tokenbuf, p->tokenlen);
    }
@@ -485,7 +485,7 @@ static pfunc check_literal(struct jv_parser* p) {
      TRY(value(p, v));
    } else {
      // FIXME: better parser
-    p->tokenbuf[p->tokenpos] = 0; // FIXME: invalid
+    p->tokenbuf[p->tokenpos] = 0;
      char* end = 0;
      double d = jvp_strtod(&p->dtoa, p->tokenbuf, &end);
      if (end == 0 || *end != 0)
author	Nicolas Williams <nico@cryptonector.com>
	Sat, 24 Oct 2015 22:24:57 +0000 (17:24 -0500)
committer	Nicolas Williams <nico@cryptonector.com>
	Sat, 24 Oct 2015 22:27:56 +0000 (17:27 -0500)