Signed-off-by: Arun Raghavan <arun at arunraghavan.net> --- src/pulse/json.c | 18 ++++++++++++++++++ src/tests/json-test.c | 3 +++ 2 files changed, 21 insertions(+) diff --git a/src/pulse/json.c b/src/pulse/json.c index 4d5500f..4a8e222 100644 --- a/src/pulse/json.c +++ b/src/pulse/json.c @@ -211,6 +211,11 @@ static const char* parse_number(const char *str, pa_json_object *obj) { } while (is_digit(*str)) { + if (integer > ((negative ? INT_MAX : UINT_MAX) / 10)) { + pa_log("Integer overflow while parsing number"); + goto error; + } + integer = (integer * 10) + (*str - '0'); str++; } @@ -221,6 +226,11 @@ fraction: str++; while (is_digit(*str)) { + if (fraction > (UINT_MAX / 10)) { + pa_log("Integer overflow while parsing fractional part of number"); + goto error; + } + fraction = (fraction * 10) + (*str - '0'); fraction_digits++; str++; @@ -240,6 +250,11 @@ fraction: str++; while (is_digit(*str)) { + if (exponent > (INT_MAX / 10)) { + pa_log("Integer overflow while parsing exponent part of number"); + goto error; + } + exponent = (exponent * 10) + (*str - '0'); str++; } @@ -258,6 +273,9 @@ fraction: } return str; + +error: + return NULL; } static const char *parse_object(const char *str, pa_json_object *obj) { diff --git a/src/tests/json-test.c b/src/tests/json-test.c index 7d273d7..a5f1f74 100644 --- a/src/tests/json-test.c +++ b/src/tests/json-test.c @@ -220,6 +220,9 @@ START_TEST(bad_test) { unsigned int i; const char *bad_parse[] = { "\"" /* Quote not closed */, + "123456789012345678901234567890" /* Overflow */, + "0.123456789012345678901234567890" /* Overflow */, + "1e123456789012345678901234567890" /* Overflow */, }; for (i = 0; i < PA_ELEMENTSOF(bad_parse); i++) { -- 2.5.5