Commit d6d5449

vwvwAlanscut

authored and

committed

fix DaveGamble#881, check overlap before calling strcpy in cJSON_SetValuestring

1 parent a78d975 commit d6d5449Copy full SHA for d6d5449

File tree

+12

-1

lines changed

+12

-1

lines changed

Lines changed: 12 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -403,6 +403,8 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number)`
`403`	`403`	`CJSON_PUBLIC(char) cJSON_SetValuestring(cJSON object, const char *valuestring)`
`404`	`404`	`{`
`405`	`405`	`char *copy = NULL;`
	`406`	`+ size_t v1_len;`
	`407`	`+ size_t v2_len;`
`406`	`408`	`/* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */`
`407`	`409`	`if ((object == NULL) \|\| !(object->type & cJSON_String) \|\| (object->type & cJSON_IsReference))`
`408`	`410`	`{`
`@@ -413,8 +415,17 @@ CJSON_PUBLIC(char) cJSON_SetValuestring(cJSON object, const char *valuestring)`
`413`	`415`	`{`
`414`	`416`	`return NULL;`
`415`	`417`	`}`
`416`		`- if (strlen(valuestring) <= strlen(object->valuestring))`
	`418`	`+`
	`419`	`+ v1_len = strlen(valuestring);`
	`420`	`+ v2_len = strlen(object->valuestring);`
	`421`	`+`
	`422`	`+ if (v1_len <= v2_len)`
`417`	`423`	`{`
	`424`	`+ /* strcpy does not handle overlapping string: [X1, X2] [Y1, Y2] => X2 < Y1 or Y2 < X1 */`
	`425`	`+ if (!( valuestring + v1_len < object->valuestring \|\| object->valuestring + v2_len < valuestring ))`
	`426`	`+ {`
	`427`	`+ return NULL;`
	`428`	`+ }`
`418`	`429`	`strcpy(object->valuestring, valuestring);`
`419`	`430`	`return object->valuestring;`
`420`	`431`	`}`

Comments

(0)