From 296db618e9d1862aea788e90e751b4999db41a2a Mon Sep 17 00:00:00 2001
From: Even Rouault <even.rouault@spatialys.com>
Date: Wed, 12 Jan 2022 23:43:03 +0100
Subject: [PATCH] json_escape_str(): avoid harmless unsigned integer overflow

Current behaviour is perfectly valid, since wrap-over upon overflow is
well defined behaviour for unsigned types, but it is nevertheless nice to be
able to build with -fsanitize=undefined,unsigned-integer-overflow

There is no significant effect on the generated assembly as can be seen
on the diff of objdump -d output on a optimized build (the compiler
just decided to switch the order of a comparison):

@@ -135,8 +135,8 @@
  1d0:	0f 84 70 ff ff ff    	je     146 <json_escape_str+0x146>
  1d6:	4c 3b 24 24          	cmp    (%rsp),%r12
  1da:	0f 85 2d ff ff ff    	jne    10d <json_escape_str+0x10d>
- 1e0:	49 39 f4             	cmp    %rsi,%r12
- 1e3:	0f 87 b7 00 00 00    	ja     2a0 <json_escape_str+0x2a0>
+ 1e0:	4c 39 e6             	cmp    %r12,%rsi
+ 1e3:	0f 82 b7 00 00 00    	jb     2a0 <json_escape_str+0x2a0>
  1e9:	48 8b 44 24 18       	mov    0x18(%rsp),%rax
  1ee:	64 48 33 04 25 28 00 	xor    %fs:0x28,%rax
  1f5:	00 00
---
 json_object.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/json_object.c b/json_object.c
index d59a317..1e4f86d 100644
--- a/json_object.c
+++ b/json_object.c
@@ -180,8 +180,9 @@ static int json_escape_str(struct printbuf *pb, const char *str, size_t len, int
 {
 	size_t pos = 0, start_offset = 0;
 	unsigned char c;
-	while (len--)
+	while (len)
 	{
+		--len;
 		c = str[pos];
 		switch (c)
 		{
-- 
2.49.0