From fba1bcdd0b109c217564088219eb44e2a2a8e077 Mon Sep 17 00:00:00 2001 From: Niels Lohmann Date: Sun, 7 May 2017 13:41:48 +0200 Subject: [PATCH] :bug: fixing #575 I forgot to consider the offset. --- src/json.hpp | 2 +- test/src/unit-regression.cpp | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/json.hpp b/src/json.hpp index f2919b12..e16f2e99 100644 --- a/src/json.hpp +++ b/src/json.hpp @@ -8915,7 +8915,7 @@ class basic_json { // avoid reading too many characters const size_t max_length = static_cast(limit - start); - return std::string(start + offset, std::min({length, max_length})); + return std::string(start + offset, std::min({length, max_length - offset})); } private: diff --git a/test/src/unit-regression.cpp b/test/src/unit-regression.cpp index ab9fa935..1ff8f987 100644 --- a/test/src/unit-regression.cpp +++ b/test/src/unit-regression.cpp @@ -1010,4 +1010,10 @@ TEST_CASE("regression tests") CHECK(not(6 <= j["a"])); CHECK(not(6 < j["a"])); } + + SECTION("issue #575 - heap-buffer-overflow (OSS-Fuzz 1400)") + { + std::vector vec = {'"', '\\', '"', 'X', '"', '"'}; + CHECK_THROWS_AS(json::parse(vec), json::parse_error); + } }