mkmkme opened a new pull request, #2812:
URL: https://github.com/apache/avro/pull/2812
## What is the purpose of the change
This PR fixes AVRO-3945.
* [C++] Sort the order of unittests and add missing tests
* Add the missing bounds check in the loop
This issue was found by cppcheck:
impl/json/JsonIO.cc:319:66: warning: Missing bounds check for extra
iterator increment in loop. [StlMissingComparison]
for (string::const_iterator it = s.begin(); it != s.end(); ++it) {
^
impl/json/JsonIO.cc:350:37: note: Missing bounds check for extra
iterator increment in loop.
char c = *++it;
^
impl/json/JsonIO.cc:319:66: note: Missing bounds check for extra
iterator increment in loop.
for (string::const_iterator it = s.begin(); it != s.end(); ++it) {
The original implementation contained a for-loop that incremented an
iterator on each iteration **and** if a backslash was found. This caused
a situtation when a malicious string could cause an invalid memory access,
because the iterator would reach **after** the `s.cend()` due to additional
increments in the loop body.
## Verifying this change
This change is already covered by existing tests, such as
`tests/JsonTests.cc`.
## Documentation
- Does this pull request introduce a new feature? **no**
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@avro.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
