From 1e495945f1f20dcb986e27b4f55f1350fb2d10c6 Mon Sep 17 00:00:00 2001 From: Niels Lohmann Date: Tue, 28 Mar 2017 18:06:43 +0200 Subject: [PATCH] :hammer: fixed buffer overflow --- src/json.hpp | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/json.hpp b/src/json.hpp index cbd630e4d..bdb3861a5 100644 --- a/src/json.hpp +++ b/src/json.hpp @@ -8575,7 +8575,7 @@ class basic_json case 0x7f: // UTF-8 string (indefinite length) { std::string result; - while (check_length(v.size(), 1, idx), v[idx] != 0xff) + while (static_cast(check_length(v.size(), 1, idx)), v[idx] != 0xff) { string_t s = from_cbor_internal(v, idx); result += s; @@ -8671,7 +8671,7 @@ class basic_json case 0x9f: // array (indefinite length) { basic_json result = value_t::array; - while (check_length(v.size(), 1, idx), v[idx] != 0xff) + while (static_cast(check_length(v.size(), 1, idx)), v[idx] != 0xff) { result.push_back(from_cbor_internal(v, idx)); } @@ -8776,7 +8776,7 @@ class basic_json case 0xbf: // map (indefinite length) { basic_json result = value_t::object; - while (check_length(v.size(), 1, idx), v[idx] != 0xff) + while (static_cast(check_length(v.size(), 1, idx)), v[idx] != 0xff) { cbor_expect_string(v, idx); std::string key = from_cbor_internal(v, idx); @@ -10442,7 +10442,9 @@ class basic_json std::string read(size_t offset, size_t length) override { - return std::string(start + offset, length); + // avoid reading too many characters + const size_t max_length = static_cast(limit-start); + return std::string(start + offset, std::min({length, max_length})); } private: