Don't advance our end pointer until we've checked we have enough

buffer left and have peeked ahead to see that a unicode escape is approaching. Thanks @kivikakk for helping me track down the actual bug here!
brianmario · Nov 7, 2017 · a8ca8f4 · a8ca8f4
1 parent 35cf1c2
commit a8ca8f4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/ext/yajl/yajl_encode.c b/ext/yajl/yajl_encode.c
@@ -162,8 +162,8 @@ void yajl_string_decode(yajl_buf buf, const unsigned char * str,
                     end+=3;
                     /* check if this is a surrogate */
                     if ((codepoint & 0xFC00) == 0xD800) {
-                        end++;
-                        if (str[end] == '\\' && str[end + 1] == 'u') {
+                        if (end + 2 < len && str[end + 1] == '\\' && str[end + 2] == 'u') {
+                            end++;
                             unsigned int surrogate = 0;
                             hexToDigit(&surrogate, str + end + 2);
                             codepoint =

diff --git a/spec/parsing/one_off_spec.rb b/spec/parsing/one_off_spec.rb
@@ -2,6 +2,13 @@
 require File.expand_path(File.dirname(__FILE__) + '/../spec_helper.rb')
 
 describe "One-off JSON examples" do
+  it "should not blow up with a bad surrogate trailer" do
+    # https://github.com/brianmario/yajl-ruby/issues/176
+    bad_json = "{\"e\":{\"\\uD800\\\\DC00\":\"a\"}}"
+
+    Yajl::Parser.new.parse(bad_json)
+  end
+
   it "should parse 23456789012E666 and return Infinity" do
     infinity = (1.0/0)
     silence_warnings do