Fix out-of-bounds read in json_lex_string

j-naylor · j-naylor · commit d3117fc1a3e8 · 2022-07-12T11:25:47.000+07:00
Commit 3838fa2 added a lookahead loop to allow building strings multiple bytes at a time. This loop could exit because it reached the end of input, yet did not check for that before checking if we reached the end of a valid string. To fix, put the end of string check back in the outer loop. Per Valgrind animal skink
diff --git a/src/common/jsonapi.c b/src/common/jsonapi.c
@@ -686,6 +686,8 @@ json_lex_string(JsonLexContext *lex)
 			lex->token_terminator = s;
 			return JSON_INVALID_TOKEN;
 		}
+		else if (*s == '"')
+			break;
 		else if (*s == '\\')
 		{
 			/* OK, we have an escape character. */
@@ -870,21 +872,21 @@ json_lex_string(JsonLexContext *lex)
 			if (lex->strval != NULL)
 				appendBinaryStringInfo(lex->strval, s, p - s);
 
-			if (*p == '"')
-			{
-				/* Hooray, we found the end of the string! */
-				lex->prev_token_terminator = lex->token_terminator;
-				lex->token_terminator = p + 1;
-				return JSON_SUCCESS;
-			}
-
 			/*
 			 * s will be incremented at the top of the loop, so set it to just
 			 * behind our lookahead position
 			 */
 			s = p - 1;
 		}
 	}
+
+	if (hi_surrogate != -1)
+		return JSON_UNICODE_LOW_SURROGATE;
+
+	/* Hooray, we found the end of the string! */
+	lex->prev_token_terminator = lex->token_terminator;
+	lex->token_terminator = s + 1;
+	return JSON_SUCCESS;
 }
 
 /*
