Issue #275: fix out of bounds read when handling unicode surrogate pairs.

json_tokener.c

@@ -580,7 +580,7 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
 
 	  /* Handle a 4-byte sequence, or two sequences if a surrogate pair */
 	  while(1) {
-	    if(strchr(json_hex_chars, c)) {
+	    if (c && strchr(json_hex_chars, c)) {
 	      tok->ucs_char += ((unsigned int)jt_hexdigit(c) << ((3-tok->st_pos++)*4));
 	      if(tok->st_pos == 4) {
 		unsigned char unescaped_utf[4];
@@ -611,8 +611,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
                    */
                   got_hi_surrogate = tok->ucs_char;
                   /* Not at end, and the next two chars should be "\u" */
-                  if ((tok->char_offset+1 != len) &&
+                  if ((len == -1 || len > (tok->char_offset + 2)) &&
-                      (tok->char_offset+2 != len) &&
+                      // str[0] != '0' &&  // implied by json_hex_chars, above.
                       (str[1] == '\\') &&
                       (str[2] == 'u'))
                   {

tests/test_parse.c

@@ -44,6 +44,11 @@ static void test_basic_parse()
 	printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
 	json_object_put(new_obj);
 
+	// Test with a "short" high surrogate
+	new_obj = json_tokener_parse("[9,'\\uDAD");
+	printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
+	json_object_put(new_obj);
+
 	new_obj = json_tokener_parse("null");
 	printf("new_obj.to_string()=%s\n", json_object_to_json_string(new_obj));
 	json_object_put(new_obj);

tests/test_parse.expected

@@ -3,6 +3,7 @@ new_obj.to_string()="foo"
 new_obj.to_string()="foo"
 new_obj.to_string()="ABC"
 new_obj.to_string()=null
+new_obj.to_string()=null
 new_obj.to_string()=NaN
 new_obj.to_string()=null
 new_obj.to_string()=null