Commit 6d10f4e9 authored by Andrew Dunstan's avatar Andrew Dunstan

Only adjust negative indexes in json_get up to the length of the path.

The previous code resulted in memory access beyond the path bounds. The
cure is to move it into a code branch that checks the value of lex_level
is within the correct bounds.

Bug reported and diagnosed by Piotr Stefaniak.
parent d8f15c95
...@@ -977,27 +977,27 @@ get_array_start(void *state) ...@@ -977,27 +977,27 @@ get_array_start(void *state)
{ {
/* Initialize counting of elements in this array */ /* Initialize counting of elements in this array */
_state->array_cur_index[lex_level] = -1; _state->array_cur_index[lex_level] = -1;
/* INT_MIN value is reserved to represent invalid subscript */
if (_state->path_indexes[lex_level] < 0 &&
_state->path_indexes[lex_level] != INT_MIN)
{
/* Negative subscript -- convert to positive-wise subscript */
int nelements = json_count_array_elements(_state->lex);
if (-_state->path_indexes[lex_level] <= nelements)
_state->path_indexes[lex_level] += nelements;
}
} }
else if (lex_level == 0 && _state->npath == 0) else if (lex_level == 0 && _state->npath == 0)
{ {
/* /*
* Special case: we should match the entire array. We only need this * Special case: we should match the entire array. We only need this
* at outermost level because at nested levels the match will have * at the outermost level because at nested levels the match will
* been started by the outer field or array element callback. * have been started by the outer field or array element callback.
*/ */
_state->result_start = _state->lex->token_start; _state->result_start = _state->lex->token_start;
} }
/* INT_MIN value is reserved to represent invalid subscript */
if (_state->path_indexes[lex_level] < 0 &&
_state->path_indexes[lex_level] != INT_MIN)
{
/* Negative subscript -- convert to positive-wise subscript */
int nelements = json_count_array_elements(_state->lex);
if (-_state->path_indexes[lex_level] <= nelements)
_state->path_indexes[lex_level] += nelements;
}
} }
static void static void
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment