cJSON

mirror of Dave's cJSON
git clone git://git.thc420.xyz/cJSON
Log | Files | Refs | README | LICENSE

commit c3bd4463bed961340bf736da5b1b3eeac453160d
parent 9d7e8f117593f382cbaaecadc021fed347db86dc
Author: Max Bruckner <max@maxbruckner.de>
Date:   Wed, 15 Feb 2017 13:09:32 +0100

cJSON_Utils: Guard use of %lu format string for size_t

Diffstat:
McJSON_Utils.c | 24++++++++++++++++++++++++
1 file changed, 24 insertions(+), 0 deletions(-)

diff --git a/cJSON_Utils.c b/cJSON_Utils.c @@ -137,6 +137,14 @@ char *cJSONUtils_FindPointerFromObjectTo(cJSON *object, cJSON *target) { /* reserve enough memory for a 64 bit integer + '/' and '\0' */ unsigned char *ret = (unsigned char*)malloc(strlen((char*)found) + 23); + /* check if conversion to unsigned long is valid + * This should be eliminated at compile time by dead code elimination + * if size_t is an alias of unsigned long, or if it is bigger */ + if (c > ULONG_MAX) + { + free(found); + return NULL; + } sprintf((char*)ret, "/%lu%s", (unsigned long)c, found); /* /<array_index><path> */ free(found); @@ -584,12 +592,28 @@ static void cJSONUtils_CompareToPatch(cJSON *patches, const unsigned char *path, /* generate patches for all array elements that exist in "from" and "to" */ for (c = 0, from = from->child, to = to->child; from && to; from = from->next, to = to->next, c++) { + /* check if conversion to unsigned long is valid + * This should be eliminated at compile time by dead code elimination + * if size_t is an alias of unsigned long, or if it is bigger */ + if (c > ULONG_MAX) + { + free(newpath); + return; + } sprintf((char*)newpath, "%s/%lu", path, (unsigned long)c); /* path of the current array element */ cJSONUtils_CompareToPatch(patches, newpath, from, to); } /* remove leftover elements from 'from' that are not in 'to' */ for (; from; from = from->next, c++) { + /* check if conversion to unsigned long is valid + * This should be eliminated at compile time by dead code elimination + * if size_t is an alias of unsigned long, or if it is bigger */ + if (c > ULONG_MAX) + { + free(newpath); + return; + } sprintf((char*)newpath, "%lu", (unsigned long)c); cJSONUtils_GeneratePatch(patches, (const unsigned char*)"remove", path, newpath, 0); }