Fix out-of-bounds read in json_lex_string

Commit 3838fa269 added a lookahead loop to allow building strings multiple bytes at a time. This loop could exit because it reached the end of input, yet did not check for that before checking if we reached the end of a valid string. To fix, put the end of string check back in the outer loop. Per Valgrind animal skink
2022-07-12 11:13:41 +07:00 · 2022-07-12 11:13:41 +07:00 · d3117fc1a3
commit d3117fc1a3
parent 3b00a944a9
1 changed files with 10 additions and 8 deletions
--- a/src/common/jsonapi.c
+++ b/src/common/jsonapi.c
@ -686,6 +686,8 @@ json_lex_string(JsonLexContext *lex)
 			lex->token_terminator = s;
 			return JSON_INVALID_TOKEN;
 		}
+		else if (*s == '"')
+			break;
 		else if (*s == '\\')
 		{
 			/* OK, we have an escape character. */
@ -870,14 +872,6 @@ json_lex_string(JsonLexContext *lex)
 			if (lex->strval != NULL)
 				appendBinaryStringInfo(lex->strval, s, p - s);

-			if (*p == '"')
-			{
-				/* Hooray, we found the end of the string! */
-				lex->prev_token_terminator = lex->token_terminator;
-				lex->token_terminator = p + 1;
-				return JSON_SUCCESS;
-			}
-
 			/*
 			 * s will be incremented at the top of the loop, so set it to just
 			 * behind our lookahead position
@ -885,6 +879,14 @@ json_lex_string(JsonLexContext *lex)
 			s = p - 1;
 		}
 	}
+
+	if (hi_surrogate != -1)
+		return JSON_UNICODE_LOW_SURROGATE;
+
+	/* Hooray, we found the end of the string! */
+	lex->prev_token_terminator = lex->token_terminator;
+	lex->token_terminator = s + 1;
+	return JSON_SUCCESS;
 }

 /*