Heap buffer overflow in json_parse_value when use json_parse_flags_allow_inf_and_nan

Hi, I use fuzzer find this overflow.

#include "json.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char s[11] = "[Infinity0]";
    json_parse_ex(s, 11, json_parse_flags_allow_inf_and_nan, 0, 0, 0);
}

and

#include "json.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) {
    char s[6] = "[NaN0]";
    json_parse_ex(s, 6, json_parse_flags_allow_inf_and_nan, 0, 0, 0);
}

These can overflow in same part, this is asan report:

==915483==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000070 at pc 0x55555555c4f4 bp 0x7fffffffdbf0 sp 0x7fffffffdbe0
WRITE of size 8 at 0x608000000070 thread T0
    #0 0x55555555c4f3 in json_parse_array json.h:1793
    #1 0x55555555d3ee in json_parse_value json.h:1948
    #2 0x55555555ea2b in json_parse_ex json.h:2115
    #3 0x555555565ddb in main overflow.c:8
    #4 0x7ffff73ae082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x5555555552cd in _start (/home/yuan/json.h-or/crash+0x12cd)

0x608000000075 is located 0 bytes to the right of 85-byte region [0x608000000020,0x608000000075)
allocated by thread T0 here:
    #0 0x7ffff7689808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55555555e637 in json_parse_ex json.h:2074
    #2 0x555555565ddb in main overflow.c:8
    #3 0x7ffff73ae082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow json.h:1793 in json_parse_array
Shadow bytes around the buggy address:
  0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff8000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[05]fa
  0x0c107fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==915483==ABORTING

sheredom / json.h

Heap buffer overflow in json_parse_value when use json_parse_flags_allow_inf_and_nan #87