diff options
author | Petri Lehtinen <petri@digip.org> | 2013-10-15 08:44:04 +0300 |
---|---|---|
committer | Petri Lehtinen <petri@digip.org> | 2013-10-15 08:44:04 +0300 |
commit | d544852ff61bddbbf3d2095f18ba30d9562487f2 (patch) | |
tree | f2d205f871b55dfcadd5050e43e3682db73b89c1 | |
parent | 8dc3233f3ba10d3d382a2f2608441436009c51f8 (diff) | |
download | jansson-d544852ff61bddbbf3d2095f18ba30d9562487f2.zip jansson-d544852ff61bddbbf3d2095f18ba30d9562487f2.tar.gz jansson-d544852ff61bddbbf3d2095f18ba30d9562487f2.tar.bz2 |
Avoid integer overflows with very long strings
-rw-r--r-- | src/hashtable.c | 7 | ||||
-rw-r--r-- | src/utf.c | 2 |
2 files changed, 8 insertions, 1 deletions
diff --git a/src/hashtable.c b/src/hashtable.c index 5fb0467..0af8cee 100644 --- a/src/hashtable.c +++ b/src/hashtable.c @@ -249,6 +249,13 @@ int hashtable_set(hashtable_t *hashtable, /* offsetof(...) returns the size of pair_t without the last, flexible member. This way, the correct amount is allocated. */ + + size_t len = strlen(key); + if(len > (size_t)-1 - offsetof(pair_t, key)) { + /* Avoid an overflow if the key is very long */ + return -1; + } + pair = jsonp_malloc(offsetof(pair_t, key) + strlen(key) + 1); if(!pair) return -1; @@ -173,7 +173,7 @@ int utf8_check_string(const char *string, size_t length) return 0; else if(count > 1) { - if(i + count > length) + if(count > length - i) return 0; if(!utf8_check_full(&string[i], count, NULL)) |