fix #881, check overlap before calling strcpy in cJSON_SetValuestring

author Nicolas Badoux <n.badoux@hotmail.com>

Fri, 23 Aug 2024 14:50:30 +0000 (14:50 +0000)

committer Alan Wang <wp_scut@163.com>

Fri, 30 Aug 2024 03:29:28 +0000 (11:29 +0800)
author Nicolas Badoux <n.badoux@hotmail.com>
Fri, 23 Aug 2024 14:50:30 +0000 (14:50 +0000)
committer Alan Wang <wp_scut@163.com>
Fri, 30 Aug 2024 03:29:28 +0000 (11:29 +0800)
diff --git a/cJSON.c b/cJSON.c

index fe22bd83c5fab07266116ff1e2d074a42cd436bb..56f65efe4416641a1e8dd983451f6ba10c4823f5 100644 (file)
--- a/cJSON.c
+++ b/cJSON.c
@@ -403,6 +403,8 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number)
  CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
  {
      char *copy = NULL;
+    size_t v1_len;
+    size_t v2_len;
      /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
      if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
      {
@@ -413,8 +415,17 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
      {
          return NULL;
      }
-    if (strlen(valuestring) <= strlen(object->valuestring))
+
+    v1_len = strlen(valuestring);
+    v2_len = strlen(object->valuestring);
+
+    if (v1_len <= v2_len)
      {
+        /* strcpy does not handle overlapping string: [X1, X2] [Y1, Y2] => X2 < Y1 or Y2 < X1 */
+        if (!( valuestring + v1_len < object->valuestring || object->valuestring + v2_len < valuestring ))
+        {
+            return NULL;
+        }
          strcpy(object->valuestring, valuestring);
          return object->valuestring;
      }
author	Nicolas Badoux <n.badoux@hotmail.com>
	Fri, 23 Aug 2024 14:50:30 +0000 (14:50 +0000)
committer	Alan Wang <wp_scut@163.com>
	Fri, 30 Aug 2024 03:29:28 +0000 (11:29 +0800)