json: fix \uXXXX parsing

We need exactly 4 hex characters, everything else is refused. We also copy those characters directly to the output string without assuming any encoding. See #2337
2025-10-29 05:40:27 -04:00 · 2022-04-26 11:01:33 +02:00 · 2022-04-26 11:01:33 +02:00 · f2cdb15e0c
commit f2cdb15e0c
parent d9871f36c1
2 changed files with 10 additions and 7 deletions
--- a/spa/include/spa/utils/json.h
+++ b/spa/include/spa/utils/json.h
@ -355,15 +355,15 @@ static inline int spa_json_parse_stringn(const char *val, int len, char *result,
 				else if (*p == 'f')
 					*result++ = '\f';
 				else if (*p == 'u') {
-					char *end;
-					uint16_t v = strtol(p+1, &end, 16);
-					if (p+1 == end) {
+					uint8_t v[2];
+					if (p + 5 > val + len ||
+					    sscanf(p+1, "%02hhx%02hhx", &v[0], &v[1]) != 2) {
 						*result++ = *p;
 					} else {
-						p = end-1;
-						if (v > 0xff)
-							*result++ = (v >> 8) & 0xff;
-						*result++ = v & 0xff;
+						p += 4;
+						if (v[0] != 0)
+							*result++ = v[0];
+						*result++ = v[1];
 					}
 				} else
 					*result++ = *p;
--- a/test/test-spa-json.c
+++ b/test/test-spa-json.c
@ -176,6 +176,9 @@ PWTEST(json_encode)
 	pwtest_str_eq(dst, "\"\\u0004\\u0005\\u001f \\u0001\x7f\x90\"");
 	pwtest_int_eq(spa_json_parse_stringn(dst, sizeof(dst), result, sizeof(result)), 1);
 	pwtest_str_eq(result, "\x04\x05\x1f\x20\x01\x7f\x90");
+	strcpy(dst, "\"\\u03b2a\"");
+	pwtest_int_eq(spa_json_parse_stringn(dst, sizeof(dst), result, sizeof(result)), 1);
+	pwtest_str_eq(result, "\003\262a");

 	return PWTEST_PASS;
 }