Fix several potential buffer over-read errors in JSONParser::ConsumeNumber.

base/json/json_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/json/json_parser.h"
 
 #include <cmath>
 #include <utility>
 
 #include "base/logging.h"
@@ skipping 662 matching lines @@
   if (*pos_ == '-')
     NextChar();
 
   if (!ReadInt(false)) {
     ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
     return nullptr;
   }
   end_index = index_;
 
   // The optional fraction part.
-  if (*pos_ == '.') {
+  if (pos_ < end_pos_ && *pos_ == '.') {
     if (!CanConsume(1)) {
       ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
       return nullptr;
     }
     NextChar();
     if (!ReadInt(true)) {
       ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
       return nullptr;
     }
     end_index = index_;
   }
 
   // Optional exponent part.
-  if (*pos_ == 'e' || *pos_ == 'E') {
+  if (pos_ < end_pos_ && (*pos_ == 'e' || *pos_ == 'E')) {

[dcheng, 2017/02/24 21:15:31]

Should lines 697 to 713 be wrapped in a pos_ < end_pos_? Also, is there a
difference between this check and calling CanConsume(1)?

[Robert Sesek, 2017/02/24 21:25:33]

That's what this is... are you asking about line 707?
For the checks on 683 and 697, yes because we don't want to potentially
dereference end_pos_. These checks are the equivalent of CanConsume(0).

[dcheng, 2017/02/24 21:55:45]

I can't read, so ignore this.
Does end_pos_ point *past* the end of the buffer? The comment seems to hint it
points to the last character, so I'm not sure.

Also, it seems like CanConsume(1) should be a synonym for pos_ < end_pos_?
CanConsume() uses <= instead of <.

[Robert Sesek, 2017/02/24 22:16:22]

end_pos_ is start_pos_+length, so it points at the nul terminator.
Yeah, done per IRC conversation.

+    if (!CanConsume(1)) {
+      ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
+      return nullptr;
+    }
     NextChar();
-    if (*pos_ == '-' || *pos_ == '+')
+    if (!CanConsume(1)) {
+      ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
+      return nullptr;
+    }
+    if (*pos_ == '-' || *pos_ == '+') {
       NextChar();
+      if (!CanConsume(1)) {
+        ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
+        return nullptr;
+      }
+    }
     if (!ReadInt(true)) {
       ReportError(JSONReader::JSON_SYNTAX_ERROR, 1);
       return nullptr;
     }
     end_index = index_;
   }
 
   // ReadInt is greedy because numbers have no easily detectable sentinel,
   // so save off where the parser should be on exit (see Consume invariant at
   // the top of the header), then make sure the next token is one which is
@@ skipping 107 matching lines @@
                                            const std::string& description) {
   if (line || column) {
     return StringPrintf("Line: %i, column: %i, %s",
         line, column, description.c_str());
   }
   return description;
 }
 
 }  // namespace internal
 }  // namespace base