From 871cebaf84d4f896bc730a92937f8d02e09b0023 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <niels.lohmann@gmail.com>
Date: Thu, 29 Dec 2016 15:39:16 +0100
Subject: [PATCH] :ambulance: fix for #405

---
 src/json.hpp                 | 6 ++++++
 src/json.hpp.re2c            | 6 ++++++
 test/src/unit-regression.cpp | 7 +++++++
 3 files changed, 19 insertions(+)

diff --git a/src/json.hpp b/src/json.hpp
index 4515ca67..76824cf8 100644
--- a/src/json.hpp
+++ b/src/json.hpp
@@ -6871,6 +6871,12 @@ class basic_json
         {
             throw std::out_of_range("len+offset out of range");
         }
+
+        // last case: reading past the end of the vector
+        if (len + offset > size)
+        {
+            throw std::out_of_range("len+offset out of range");
+        }
     }
 
     /*!
diff --git a/src/json.hpp.re2c b/src/json.hpp.re2c
index 6d649db3..10bfaf57 100644
--- a/src/json.hpp.re2c
+++ b/src/json.hpp.re2c
@@ -6871,6 +6871,12 @@ class basic_json
         {
             throw std::out_of_range("len+offset out of range");
         }
+
+        // last case: reading past the end of the vector
+        if (len + offset > size)
+        {
+            throw std::out_of_range("len+offset out of range");
+        }
     }
 
     /*!
diff --git a/test/src/unit-regression.cpp b/test/src/unit-regression.cpp
index 1e720ddb..033041ab 100644
--- a/test/src/unit-regression.cpp
+++ b/test/src/unit-regression.cpp
@@ -540,4 +540,11 @@ TEST_CASE("regression tests")
         CHECK(j.is_number_float());
         CHECK(j.dump() == "1.66020696663386e+20");
     }
+
+    SECTION("issue #405 - Heap-buffer-overflow (OSS-Fuzz issue 342)")
+    {
+        // original test case
+        std::vector<uint8_t> vec {0x65, 0xf5, 0x0a, 0x48, 0x21};
+        CHECK_THROWS_AS(json::from_cbor(vec), std::out_of_range);
+    }
 }