🐛 fixing #575

I forgot to consider the offset.
2017-05-07 13:41:48 +02:00 · 2017-05-07 13:41:48 +02:00 · fba1bcdd0b
parent 56ac7908f1
commit fba1bcdd0b
2 changed files with 7 additions and 1 deletions
--- a/src/json.hpp
+++ b/src/json.hpp
@ -8915,7 +8915,7 @@ class basic_json
        {
            // avoid reading too many characters
            const size_t max_length = static_cast<size_t>(limit - start);
-            return std::string(start + offset, std::min({length, max_length}));
+            return std::string(start + offset, std::min({length, max_length - offset}));
        }

      private:
--- a/test/src/unit-regression.cpp
+++ b/test/src/unit-regression.cpp
@ -1010,4 +1010,10 @@ TEST_CASE("regression tests")
        CHECK(not(6 <= j["a"]));
        CHECK(not(6 <  j["a"]));
    }
+
+    SECTION("issue #575 - heap-buffer-overflow (OSS-Fuzz 1400)")
+    {
+        std::vector<uint8_t> vec = {'"', '\\', '"', 'X', '"', '"'};
+        CHECK_THROWS_AS(json::parse(vec), json::parse_error);
+    }
 }