diff options
| author | Nicolas Badoux <n.badoux@hotmail.com> | 2024-08-23 14:50:30 +0000 |
|---|---|---|
| committer | Alan Wang <wp_scut@163.com> | 2024-08-30 11:29:28 +0800 |
| commit | d6d5449e1f271556ea8e6ec0f3026ceb0b4a9508 (patch) | |
| tree | 8d03e6325e73893502f9d857f1c16afc668b7f4d | |
| parent | a78d975537a8df40d58a96f8ce326d7fb625e1e5 (diff) | |
| download | cjson-d6d5449e1f271556ea8e6ec0f3026ceb0b4a9508.tar.gz cjson-d6d5449e1f271556ea8e6ec0f3026ceb0b4a9508.zip | |
fix #881, check overlap before calling strcpy in cJSON_SetValuestring
| -rw-r--r-- | cJSON.c | 13 |
1 files changed, 12 insertions, 1 deletions
@@ -403,6 +403,8 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number) CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) { char *copy = NULL; + size_t v1_len; + size_t v2_len; /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) { @@ -413,8 +415,17 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) { return NULL; } - if (strlen(valuestring) <= strlen(object->valuestring)) + + v1_len = strlen(valuestring); + v2_len = strlen(object->valuestring); + + if (v1_len <= v2_len) { + /* strcpy does not handle overlapping string: [X1, X2] [Y1, Y2] => X2 < Y1 or Y2 < X1 */ + if (!( valuestring + v1_len < object->valuestring || object->valuestring + v2_len < valuestring )) + { + return NULL; + } strcpy(object->valuestring, valuestring); return object->valuestring; } |