Chromium Code Reviews Chromium Code Reviews
Issue 2712013003:
Fix several potential buffer over-read errors in JSONParser::ConsumeNumber. (Closed)
| Index: base/json/json_parser.cc |
| diff --git a/base/json/json_parser.cc b/base/json/json_parser.cc |
| index 50c8921d9352cccc235adea6b17e846275635c46..8216d1ef1cce7482d27e0c184398d4c54ea6af6d 100644 |
| --- a/base/json/json_parser.cc |
| +++ b/base/json/json_parser.cc |
| @@ -680,7 +680,7 @@ std::unique_ptr<Value> JSONParser::ConsumeNumber() { |
| end_index = index_; |
| // The optional fraction part. |
| - if (*pos_ == '.') { |
| + if (pos_ < end_pos_ && *pos_ == '.') { |
| if (!CanConsume(1)) { |
| ReportError(JSONReader::JSON_SYNTAX_ERROR, 1); |
| return nullptr; |
| @@ -694,10 +694,23 @@ std::unique_ptr<Value> JSONParser::ConsumeNumber() { |
| } |
| // Optional exponent part. |
| - if (*pos_ == 'e' || *pos_ == 'E') { |
| + if (pos_ < end_pos_ && (*pos_ == 'e' || *pos_ == 'E')) { |
|
dcheng
2017/02/24 21:15:31
Should lines 697 to 713 be wrapped in a pos_ < end
Robert Sesek
2017/02/24 21:25:33
That's what this is... are you asking about line 7
dcheng
2017/02/24 21:55:45
I can't read, so ignore this.
Robert Sesek
2017/02/24 22:16:22
end_pos_ is start_pos_+length, so it points at the
|
| + if (!CanConsume(1)) { |
| + ReportError(JSONReader::JSON_SYNTAX_ERROR, 1); |
| + return nullptr; |
| + } |
| NextChar(); |
| - if (*pos_ == '-' || *pos_ == '+') |
| + if (!CanConsume(1)) { |
| + ReportError(JSONReader::JSON_SYNTAX_ERROR, 1); |
| + return nullptr; |
| + } |
| + if (*pos_ == '-' || *pos_ == '+') { |
| NextChar(); |
| + if (!CanConsume(1)) { |
| + ReportError(JSONReader::JSON_SYNTAX_ERROR, 1); |
| + return nullptr; |
| + } |
| + } |
| if (!ReadInt(true)) { |
| ReportError(JSONReader::JSON_SYNTAX_ERROR, 1); |
| return nullptr; |
