From 3976c5750fea4369cefbf8a510ca9438b5d5b6fe Mon Sep 17 00:00:00 2001 From: Dan Good Date: Tue, 8 Jun 2021 19:00:09 +0000 Subject: [PATCH] Fix overflow in skipOneHexEscape() --- source/core_json.c | 2 +- source/include/stdint.readme | 20 ++++++++++++-------- test/unit-test/core_json_utest.c | 13 +++++++++++++ 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/source/core_json.c b/source/core_json.c index b063e298..6007749e 100644 --- a/source/core_json.c +++ b/source/core_json.c @@ -335,7 +335,7 @@ static bool skipOneHexEscape( const char * buf, i = *start; #define HEX_ESCAPE_LENGTH ( 6U ) /* e.g., \u1234 */ - end = i + HEX_ESCAPE_LENGTH; + end = ( i <= ( SIZE_MAX - HEX_ESCAPE_LENGTH ) ) ? ( i + HEX_ESCAPE_LENGTH ) : SIZE_MAX; if( ( end < max ) && ( buf[ i ] == '\\' ) && ( buf[ i + 1U ] == 'u' ) ) { diff --git a/source/include/stdint.readme b/source/include/stdint.readme index 75ca6316..6b3718e4 100644 --- a/source/include/stdint.readme +++ b/source/include/stdint.readme @@ -25,13 +25,17 @@ typedef unsigned long uint32_t; typedef long long int64_t; typedef unsigned long long uint64_t; -#define INT8_MAX ( ( signed char ) 127 ) -#define UINT8_MAX ( ( unsigned char ) 255 ) -#define INT16_MAX ( ( short ) 32767 ) -#define UINT16_MAX ( ( unsigned short ) 65535 ) -#define INT32_MAX 2147483647L -#define UINT32_MAX 4294967295UL -#define INT64_MAX 9223372036854775807LL -#define UINT64_MAX 18446744073709551615ULL +#define INT8_MAX ( ( signed char ) 127 ) +#define UINT8_MAX ( ( unsigned char ) 255 ) +#define INT16_MAX ( ( short ) 32767 ) +#define UINT16_MAX ( ( unsigned short ) 65535 ) +#define INT32_MAX 2147483647L +#define UINT32_MAX 4294967295UL +#define INT64_MAX 9223372036854775807LL +#define UINT64_MAX 18446744073709551615ULL + +#ifndef SIZE_MAX + #define SIZE_MAX ( ( size_t ) -1 ) +#endif #endif /* _STDINT_H */ diff --git a/test/unit-test/core_json_utest.c b/test/unit-test/core_json_utest.c index 7cf3fb14..3eaf6a90 100644 --- a/test/unit-test/core_json_utest.c +++ b/test/unit-test/core_json_utest.c @@ -1871,3 +1871,16 @@ void test_JSON_unreached( void ) iterate( buf, max, &start, &next, &key, &keyLength, &value, &valueLength ) ); } } + +/** + * @brief Test overflows. + */ +void test_JSON_overflows( void ) +{ + char buf[] = UNICODE_ESCAPE_SEQUENCES_BMP; + size_t start; + uint16_t u; + + start = SIZE_MAX; + TEST_ASSERT_EQUAL( false, skipOneHexEscape( buf, &start, SIZE_MAX, &u ) ); +}