mirrors/postgres
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix out-of-bounds read in json_lex_string

Browse Source 
Commit 3838fa269 added a lookahead loop to allow building strings multiple
bytes at a time. This loop could exit because it reached the end of input,
yet did not check for that before checking if we reached the end of a
valid string. To fix, put the end of string check back in the outer loop.

Per Valgrind animal skink
This commit is contained in:
John Naylor 2022-07-12 11:13:41 +07:00
parent 3b00a944a9
commit d3117fc1a3
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/common/jsonapi.c
View File

@ -686,6 +686,8 @@ json_lex_string(JsonLexContext *lex)
lex->token_terminator = s; lex->token_terminator = s;
return JSON_INVALID_TOKEN; return JSON_INVALID_TOKEN;
} }
else if (*s == '"')
break;
else if (*s == '\\') else if (*s == '\\')
{ {
/* OK, we have an escape character. */ /* OK, we have an escape character. */
@ -870,14 +872,6 @@ json_lex_string(JsonLexContext *lex)
if (lex->strval != NULL) if (lex->strval != NULL)
appendBinaryStringInfo(lex->strval, s, p - s); appendBinaryStringInfo(lex->strval, s, p - s);
if (*p == '"')
{
/* Hooray, we found the end of the string! */
lex->prev_token_terminator = lex->token_terminator;
lex->token_terminator = p + 1;
return JSON_SUCCESS;
}
/* /*
* s will be incremented at the top of the loop, so set it to just * s will be incremented at the top of the loop, so set it to just
* behind our lookahead position * behind our lookahead position
@ -885,6 +879,14 @@ json_lex_string(JsonLexContext *lex)
s = p - 1; s = p - 1;
} }
} }
if (hi_surrogate != -1)
return JSON_UNICODE_LOW_SURROGATE;
/* Hooray, we found the end of the string! */
lex->prev_token_terminator = lex->token_terminator;
lex->token_terminator = s + 1;
return JSON_SUCCESS;
} }
/* /*