🚑 fix for #405

871cebaf · Niels Lohmann · 8381cd60 · 871cebaf · 871cebaf · 871cebaf
Commit 871cebaf authored Dec 29, 2016 by Niels Lohmann
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 0 deletions

json.hpp src/json.hpp +6 -0

json.hpp.re2c src/json.hpp.re2c +6 -0

unit-regression.cpp test/src/unit-regression.cpp +7 -0

No files found.
--- a/src/json.hpp
+++ b/src/json.hpp
@@ -6871,6 +6871,12 @@ class basic_json
        {
            throw std::out_of_range("len+offset out of range");
        }
+        // last case: reading past the end of the vector
+        if (len + offset > size)
+        {
+            throw std::out_of_range("len+offset out of range");
+        }
    }
    /*!

--- a/src/json.hpp.re2c
+++ b/src/json.hpp.re2c
@@ -6871,6 +6871,12 @@ class basic_json
        {
            throw std::out_of_range("len+offset out of range");
        }
+        // last case: reading past the end of the vector
+        if (len + offset > size)
+        {
+            throw std::out_of_range("len+offset out of range");
+        }
    }
    /*!

--- a/test/src/unit-regression.cpp
+++ b/test/src/unit-regression.cpp
@@ -540,4 +540,11 @@ TEST_CASE("regression tests")
        CHECK(j.is_number_float());
        CHECK(j.dump() == "1.66020696663386e+20");
    }
+    SECTION("issue #405 - Heap-buffer-overflow (OSS-Fuzz issue 342)")
+    {
+        // original test case
+        std::vector<uint8_t> vec {0x65, 0xf5, 0x0a, 0x48, 0x21};
+        CHECK_THROWS_AS(json::from_cbor(vec), std::out_of_range);
+    }
 }