Skip to content

J
json
Commit cdd3b5a6 by Niels Lohmann
Options

🚑 fix for #416

parent 76763787
Showing with 36 additions and 18 deletions
src/json.hpp
......@@ -6938,11 +6938,10 @@ class basic_json
case 0xca: // float 32
{
// copy bytes in reverse order into the double variable
check_length(v.size(), sizeof(float), 1);
float res;
for (size_t byte = 0; byte < sizeof(float); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(float); // skip content bytes
return res;
......@@ -6951,11 +6950,10 @@ class basic_json
case 0xcb: // float 64
{
// copy bytes in reverse order into the double variable
check_length(v.size(), sizeof(double), 1);
double res;
for (size_t byte = 0; byte < sizeof(double); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(double); // skip content bytes
return res;
......@@ -7549,11 +7547,10 @@ class basic_json
case 0xfa: // Single-Precision Float (four-byte IEEE 754)
{
// copy bytes in reverse order into the float variable
check_length(v.size(), sizeof(float), 1);
float res;
for (size_t byte = 0; byte < sizeof(float); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(float); // skip content bytes
return res;
......@@ -7561,12 +7558,11 @@ class basic_json
case 0xfb: // Double-Precision Float (eight-byte IEEE 754)
{
check_length(v.size(), sizeof(double), 1);
// copy bytes in reverse order into the double variable
double res;
for (size_t byte = 0; byte < sizeof(double); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(double); // skip content bytes
return res;
......
src/json.hpp.re2c
......@@ -6938,11 +6938,10 @@ class basic_json
case 0xca: // float 32
{
// copy bytes in reverse order into the double variable
check_length(v.size(), sizeof(float), 1);
float res;
for (size_t byte = 0; byte < sizeof(float); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(float); // skip content bytes
return res;
......@@ -6951,11 +6950,10 @@ class basic_json
case 0xcb: // float 64
{
// copy bytes in reverse order into the double variable
check_length(v.size(), sizeof(double), 1);
double res;
for (size_t byte = 0; byte < sizeof(double); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(double); // skip content bytes
return res;
......@@ -7517,7 +7515,6 @@ class basic_json
case 0xf9: // Half-Precision Float (two-byte IEEE 754)
{
check_length(v.size(), 2, 1);
idx += 2; // skip two content bytes
// code from RFC 7049, Appendix D, Figure 3:
......@@ -7527,7 +7524,7 @@ class basic_json
// include at least decoding support for them even without such
// support. An example of a small decoder for half-precision
// floating-point numbers in the C language is shown in Fig. 3.
const int half = (v[current_idx + 1] << 8) + v[current_idx + 2];
const int half = (v.at(current_idx + 1) << 8) + v.at(current_idx + 2);
const int exp = (half >> 10) & 0x1f;
const int mant = half & 0x3ff;
double val;
......@@ -7549,11 +7546,10 @@ class basic_json
case 0xfa: // Single-Precision Float (four-byte IEEE 754)
{
// copy bytes in reverse order into the float variable
check_length(v.size(), sizeof(float), 1);
float res;
for (size_t byte = 0; byte < sizeof(float); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(float) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(float); // skip content bytes
return res;
......@@ -7561,12 +7557,11 @@ class basic_json
case 0xfb: // Double-Precision Float (eight-byte IEEE 754)
{
check_length(v.size(), sizeof(double), 1);
// copy bytes in reverse order into the double variable
double res;
for (size_t byte = 0; byte < sizeof(double); ++byte)
{
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v[current_idx + 1 + byte];
reinterpret_cast<uint8_t*>(&res)[sizeof(double) - byte - 1] = v.at(current_idx + 1 + byte);
}
idx += sizeof(double); // skip content bytes
return res;
......
test/src/unit-regression.cpp
......@@ -663,4 +663,31 @@ TEST_CASE("regression tests")
std::vector<uint8_t> vec3 {0xbf, 0x61, 0x61, 0x01};
CHECK_THROWS_AS(json::from_cbor(vec3), std::out_of_range);
}
SECTION("issue #416 - Use-of-uninitialized-value (OSS-Fuzz issue 377)")
{
// original test case
std::vector<uint8_t> vec1
{
0x94, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa,
0x3a, 0x96, 0x96, 0xb4, 0xb4, 0xb4, 0xb4, 0xb4,
0xb4, 0xb4, 0xb4, 0xb4, 0xb4, 0xb4, 0xb4, 0x71,
0xb4, 0xb4, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0x3a,
0x96, 0x96, 0xb4, 0xb4, 0xfa, 0x94, 0x94, 0x61,
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0xfa
};
CHECK_THROWS_AS(json::from_cbor(vec1), std::out_of_range);
// related test case: double-precision
std::vector<uint8_t> vec2
{
0x94, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa,
0x3a, 0x96, 0x96, 0xb4, 0xb4, 0xb4, 0xb4, 0xb4,
0xb4, 0xb4, 0xb4, 0xb4, 0xb4, 0xb4, 0xb4, 0x71,
0xb4, 0xb4, 0xfa, 0xfa, 0xfa, 0xfa, 0xfa, 0x3a,
0x96, 0x96, 0xb4, 0xb4, 0xfa, 0x94, 0x94, 0x61,
0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0xfb
};
CHECK_THROWS_AS(json::from_cbor(vec2), std::out_of_range);
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment