From fba1bcdd0b109c217564088219eb44e2a2a8e077 Mon Sep 17 00:00:00 2001
From: Niels Lohmann <mail@nlohmann.me>
Date: Sun, 7 May 2017 13:41:48 +0200
Subject: [PATCH] :bug: fixing #575

I forgot to consider the offset.
---
 src/json.hpp                 | 2 +-
 test/src/unit-regression.cpp | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/json.hpp b/src/json.hpp
index f2919b12..e16f2e99 100644
--- a/src/json.hpp
+++ b/src/json.hpp
@@ -8915,7 +8915,7 @@ class basic_json
         {
             // avoid reading too many characters
             const size_t max_length = static_cast<size_t>(limit - start);
-            return std::string(start + offset, std::min({length, max_length}));
+            return std::string(start + offset, std::min({length, max_length - offset}));
         }
 
       private:
diff --git a/test/src/unit-regression.cpp b/test/src/unit-regression.cpp
index ab9fa935..1ff8f987 100644
--- a/test/src/unit-regression.cpp
+++ b/test/src/unit-regression.cpp
@@ -1010,4 +1010,10 @@ TEST_CASE("regression tests")
         CHECK(not(6 <= j["a"]));
         CHECK(not(6 <  j["a"]));
     }
+
+    SECTION("issue #575 - heap-buffer-overflow (OSS-Fuzz 1400)")
+    {
+        std::vector<uint8_t> vec = {'"', '\\', '"', 'X', '"', '"'};
+        CHECK_THROWS_AS(json::parse(vec), json::parse_error);
+    }
 }