Fix a buffer overflow in upstream cJSON.

This is DaveGamble/cJSON#30, and fixes issue #466.
2016-10-05 13:59:40 -07:00 · 2016-10-05 13:59:40 -07:00 · d99a69f92b
--- a/src/cjson.c
+++ b/src/cjson.c
@ -204,9 +204,20 @@ static const char *parse_string(cJSON *item,const char *str,const char **ep)
 {
 	const char *ptr=str+1,*end_ptr=str+1;char *ptr2;char *out;int len=0;unsigned uc,uc2;
 	if (*str!='\"') {*ep=str;return 0;}	/* not a string! */
-	
-	while (*end_ptr!='\"' && *end_ptr && ++len) if (*end_ptr++ == '\\') end_ptr++;	/* Skip escaped quotes. */
-	
+
+	while (*end_ptr!='\"' && *end_ptr && ++len)
+	{
+	    if (*end_ptr++ == '\\')
+	    {
+		if (*end_ptr == '\0')
+		{
+		    /* prevent buffer overflow when last input character is a backslash */
+		    return 0;
+		}
+		end_ptr++;	/* Skip escaped quotes. */
+	    }
+	}
+
 	out=(char*)cJSON_malloc(len+1);	/* This is how long we need for the string, roughly. */
 	if (!out) return 0;
 	item->valuestring=out; /* assign here so out will be deleted during cJSON_Delete() later */