From db85339f509e8c1bc39bb90fd6a4e6327b257964 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Thu, 18 Mar 2021 19:44:25 +0100
Subject: [PATCH] json: handle overflow better

We need at least the length of the string+1 as the length of the
target in spa_json_get_string(). Add a unit test for this.
---
 spa/include/spa/utils/json.h |  2 +-
 spa/tests/test-json.c        | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/spa/include/spa/utils/json.h b/spa/include/spa/utils/json.h
index 1ca562243..99f32d4d4 100644
--- a/spa/include/spa/utils/json.h
+++ b/spa/include/spa/utils/json.h
@@ -351,7 +351,7 @@ static inline int spa_json_get_string(struct spa_json *iter, char *res, int maxl
 {
 	const char *value;
 	int len;
-	if ((len = spa_json_next(iter, &value)) <= 0 || maxlen < len)
+	if ((len = spa_json_next(iter, &value)) <= 0 || maxlen <= len)
 		return -1;
 	return spa_json_parse_string(value, len, res);
 }
diff --git a/spa/tests/test-json.c b/spa/tests/test-json.c
index 5f46aa504..22027df15 100644
--- a/spa/tests/test-json.c
+++ b/spa/tests/test-json.c
@@ -194,11 +194,28 @@ static void test_arrays(void)
 	test_array("[ FL FR ]", (char *[]){ "FL", "FR", NULL });
 }
 
+static void test_overflow(void)
+{
+	struct spa_json it[2];
+	char val[3];
+	const char *str = "[ F, FR, FRC ]";
+
+	spa_json_init(&it[0], str, strlen(str));
+	spa_assert(spa_json_enter_array(&it[0], &it[1]) > 0);
+
+	spa_assert(spa_json_get_string(&it[1], val, sizeof(val)) > 0);
+	spa_assert(strcmp(val, "F") == 0);
+	spa_assert(spa_json_get_string(&it[1], val, sizeof(val)) > 0);
+	spa_assert(strcmp(val, "FR") == 0);
+	spa_assert(spa_json_get_string(&it[1], val, sizeof(val)) < 0);
+}
+
 int main(int argc, char *argv[])
 {
 	test_abi();
 	test_parse();
 	test_encode();
 	test_arrays();
+	test_overflow();
 	return 0;
 }