Closed Geneo-5 closed 2 years ago
I think that must be a leftover from a very early version of the parser.
I fixed it on master as you suggested. Note that unlike your previous report, this is not just for malicous input, any accidentially unterminated JSON could trigger this. Please check that it works for you.
It's ok.
The following malicious "json" crash when call monster_parse_json function:
{"color":"Red"�"weapons2:[ #,"inventory":[0,1,2,3;4,5,,"color":"Red","weapons":[{"name"K,7,8,9:"Sw}rd","-amage":3},{"name":"Axapons":[{"ne"�damagE":4}},"equipp,4,526,7,8,Q],"coed_type":"Weame":"Axe","dame":5}}
The cause is in flatcc_json_parser_match_constant (json_parser.c) line 492, the call of flatcc_json_parser_space return 0 as new buffer address.
It's possibel to fix it by replace call from:
buf = flatcc_json_parser_space(ctx, buf + 1, 0);
to:buf = flatcc_json_parser_space(ctx, buf + 1, end);
But I don't understand why only here the function is call with a value of 0 how pointer to the end