You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I would expect to not write anything, but writing before the beginning of the output buffer is extra bad.
I happened to exercise this with something like mjson_snprintf(NULL, 0, "foo");.
See below patch for a unit test that exercises the issue.
diff --git a/test/unit_test.c b/test/unit_test.c
index 93bdd36..14579ed 100644
--- a/test/unit_test.c+++ b/test/unit_test.c@@ -412,6 +412,19 @@ static void test_print(void) {
ASSERT(memcmp(tmp, str, 15) == 0);
ASSERT(fb.len < fb.size);
}
++ {+ struct mjson_fixedbuf fb = {&tmp[1], 0, 0};+ tmp[0] = (char)0xA5; // arbitrary non-ascii value+ const char *s = "a\b\n\f\r\t\"";+ // Unsure about what I would expect the return value to be+ ASSERT(mjson_print_str(&mjson_print_fixed_buf, &fb, s, 7) == -1);+ // wrote a null to buf[-1]+ ASSERT(tmp[0] == '\0');+ // This is what we should actually expect if it didn't write out of bounds. This fails+ ASSERT(tmp[0] == (char)0xA5);+ ASSERT(fb.len < fb.size);+ }
}
static int f1(mjson_print_fn_t fn, void *fndata, va_list *ap) {
The text was updated successfully, but these errors were encountered:
When passing a zero length output buffer, mjson_print_fixed_buf (specifically, this line https://github.com/cesanta/mjson/blob/master/src/mjson.c#L479) writes out of bounds
fb->len
is-1
.I would expect to not write anything, but writing before the beginning of the output buffer is extra bad.
I happened to exercise this with something like
mjson_snprintf(NULL, 0, "foo");
.See below patch for a unit test that exercises the issue.
The text was updated successfully, but these errors were encountered: