From 9a2ad49372cb0f52326408ed848bc4bc90f2b3ed Mon Sep 17 00:00:00 2001 From: Dmitry Frank Date: Thu, 23 Feb 2017 15:24:47 +0200 Subject: [PATCH] Fix frozen buffer overflow Resolves https://github.com/cesanta/frozen/issues/14 A better solution would be to allocate buffer from the heap if necessary, but it's TODO. PUBLISHED_FROM=3afba5b216dc101b258f677993c464be42c5e717 --- frozen/frozen.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/frozen/frozen.c b/frozen/frozen.c index c43faedb9..49a8bb1d0 100644 --- a/frozen/frozen.c +++ b/frozen/frozen.c @@ -85,14 +85,14 @@ struct frozen { /* For callback API */ char path[JSON_MAX_PATH_LEN]; - int path_len; + size_t path_len; void *callback_data; json_walk_callback_t callback; }; struct fstate { const char *ptr; - int path_len; + size_t path_len; }; #define SET_STATE(fr, ptr, str, len) \ @@ -118,13 +118,15 @@ struct fstate { static int append_to_path(struct frozen *f, const char *str, int size) { int n = f->path_len; f->path_len += - snprintf(f->path + f->path_len, sizeof(f->path) - (f->path_len + 1), - "%.*s", size, str); + snprintf(f->path + f->path_len, sizeof(f->path) - (f->path_len), "%.*s", size, str); + if (f->path_len > sizeof(f->path) - 1) { + f->path_len = sizeof(f->path) - 1; + } return n; } -static void truncate_path(struct frozen *f, int len) { +static void truncate_path(struct frozen *f, size_t len) { f->path_len = len; f->path[len] = '\0'; }