Package: libjson0
Version: 0.10-1.1
Severity: important
If the input JSON contains empty value (i.e. "") The internal string
buffer is unterminated and unexpected behaviour occours.
If the unicode value \u0000 appears in the input the string is
terminated early and the string is truncated.
The attached patch fixes these issues.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libjson0 depends on:
ii libc6 2.13-33
ii multiarch-support 2.13-33
libjson0 recommends no packages.
libjson0 suggests no packages.
-- no debconf information
Index: json-c-0.10/json_object.c
===================================================================
--- json-c-0.10.orig/json_object.c 2012-04-29 10:55:43.000000000 -0700
+++ json-c-0.10/json_object.c 2012-08-30 11:26:08.000000000 -0700
@@ -531,8 +531,9 @@
if(!jso) return NULL;
jso->_delete = &json_object_string_delete;
jso->_to_json_string = &json_object_string_to_json_string;
- jso->o.c_string.str = malloc(len);
+ jso->o.c_string.str = malloc(len + 1);
memcpy(jso->o.c_string.str, (void *)s, len);
+ jso->o.c_string.str[len] = '\0';
jso->o.c_string.len = len;
return jso;
}
Index: json-c-0.10/json_tokener.c
===================================================================
--- json-c-0.10.orig/json_tokener.c 2012-04-29 10:55:43.000000000 -0700
+++ json-c-0.10/json_tokener.c 2012-08-30 11:22:29.000000000 -0700
@@ -387,7 +387,7 @@
while(1) {
if(c == tok->quote_char) {
printbuf_memappend_fast(tok->pb, case_start, str-case_start);
- current = json_object_new_string(tok->pb->buf);
+ current = json_object_new_string_len(tok->pb->buf, tok->pb->bpos);
saved_state = json_tokener_state_finish;
state = json_tokener_state_eatws;
break;
