From f2cdb15e0c2f74a6c9d2baf7b3bc56035be7c1f4 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 26 Apr 2022 11:01:33 +0200 Subject: [PATCH] json: fix \uXXXX parsing We need exactly 4 hex characters, everything else is refused. We also copy those characters directly to the output string without assuming any encoding. See #2337 --- spa/include/spa/utils/json.h | 14 +++++++------- test/test-spa-json.c | 3 +++ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/spa/include/spa/utils/json.h b/spa/include/spa/utils/json.h index ef44800bb..9e51d2595 100644 --- a/spa/include/spa/utils/json.h +++ b/spa/include/spa/utils/json.h @@ -355,15 +355,15 @@ static inline int spa_json_parse_stringn(const char *val, int len, char *result, else if (*p == 'f') *result++ = '\f'; else if (*p == 'u') { - char *end; - uint16_t v = strtol(p+1, &end, 16); - if (p+1 == end) { + uint8_t v[2]; + if (p + 5 > val + len || + sscanf(p+1, "%02hhx%02hhx", &v[0], &v[1]) != 2) { *result++ = *p; } else { - p = end-1; - if (v > 0xff) - *result++ = (v >> 8) & 0xff; - *result++ = v & 0xff; + p += 4; + if (v[0] != 0) + *result++ = v[0]; + *result++ = v[1]; } } else *result++ = *p; diff --git a/test/test-spa-json.c b/test/test-spa-json.c index b5dedf749..b3c15669d 100644 --- a/test/test-spa-json.c +++ b/test/test-spa-json.c @@ -176,6 +176,9 @@ PWTEST(json_encode) pwtest_str_eq(dst, "\"\\u0004\\u0005\\u001f \\u0001\x7f\x90\""); pwtest_int_eq(spa_json_parse_stringn(dst, sizeof(dst), result, sizeof(result)), 1); pwtest_str_eq(result, "\x04\x05\x1f\x20\x01\x7f\x90"); + strcpy(dst, "\"\\u03b2a\""); + pwtest_int_eq(spa_json_parse_stringn(dst, sizeof(dst), result, sizeof(result)), 1); + pwtest_str_eq(result, "\003\262a"); return PWTEST_PASS; }