From 871cebaf84d4f896bc730a92937f8d02e09b0023 Mon Sep 17 00:00:00 2001 From: Niels Lohmann Date: Thu, 29 Dec 2016 15:39:16 +0100 Subject: [PATCH] :ambulance: fix for #405 --- src/json.hpp | 6 ++++++ src/json.hpp.re2c | 6 ++++++ test/src/unit-regression.cpp | 7 +++++++ 3 files changed, 19 insertions(+) diff --git a/src/json.hpp b/src/json.hpp index 4515ca67..76824cf8 100644 --- a/src/json.hpp +++ b/src/json.hpp @@ -6871,6 +6871,12 @@ class basic_json { throw std::out_of_range("len+offset out of range"); } + + // last case: reading past the end of the vector + if (len + offset > size) + { + throw std::out_of_range("len+offset out of range"); + } } /*! diff --git a/src/json.hpp.re2c b/src/json.hpp.re2c index 6d649db3..10bfaf57 100644 --- a/src/json.hpp.re2c +++ b/src/json.hpp.re2c @@ -6871,6 +6871,12 @@ class basic_json { throw std::out_of_range("len+offset out of range"); } + + // last case: reading past the end of the vector + if (len + offset > size) + { + throw std::out_of_range("len+offset out of range"); + } } /*! diff --git a/test/src/unit-regression.cpp b/test/src/unit-regression.cpp index 1e720ddb..033041ab 100644 --- a/test/src/unit-regression.cpp +++ b/test/src/unit-regression.cpp @@ -540,4 +540,11 @@ TEST_CASE("regression tests") CHECK(j.is_number_float()); CHECK(j.dump() == "1.66020696663386e+20"); } + + SECTION("issue #405 - Heap-buffer-overflow (OSS-Fuzz issue 342)") + { + // original test case + std::vector vec {0x65, 0xf5, 0x0a, 0x48, 0x21}; + CHECK_THROWS_AS(json::from_cbor(vec), std::out_of_range); + } }