Fix CVE-2020-12762.

This commit is a squashed backport of the following commits on the master branch: * 099016b7e8 * 77d935b7ae * d07b910149 * 519dfe1591 * a59d5acfab * 26f080997d
2026-03-28 17:39:07 +08:00 · 2020-05-14 12:32:30 +02:00
parent 228881c8fc
commit 5d6fa33141
5 changed files with 57 additions and 3 deletions
--- a/tests/test4.c
+++ b/tests/test4.c
@@ -3,12 +3,15 @@
 */

 #include "config.h"
+#include <assert.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>

 #include "json_inttypes.h"
 #include "json_object.h"
 #include "json_tokener.h"
+#include "snprintf_compat.h"

 void print_hex(const char *s)
 {
@@ -24,6 +27,29 @@ void print_hex(const char *s)
 	putchar('\n');
 }

+static void test_lot_of_adds(void);
+static void test_lot_of_adds()
+{
+	int ii;
+	char key[50];
+	json_object *jobj = json_object_new_object();
+	assert(jobj != NULL);
+	for (ii = 0; ii < 500; ii++)
+	{
+		snprintf(key, sizeof(key), "k%d", ii);
+		json_object *iobj = json_object_new_int(ii);
+		assert(iobj != NULL);
+		if (json_object_object_add(jobj, key, iobj))
+		{
+			fprintf(stderr, "FAILED to add object #%d\n", ii);
+			abort();
+		}
+	}
+	printf("%s\n", json_object_to_json_string(jobj));
+	assert(json_object_object_length(jobj) == 500);
+	json_object_put(jobj);
+}
+
 int main(void)
 {
 	const char *input = "\"\\ud840\\udd26,\\ud840\\udd27,\\ud800\\udd26,\\ud800\\udd27\"";
@@ -52,5 +78,8 @@ int main(void)
 		retval = 1;
 	}
 	json_object_put(parse_result);
+
+	test_lot_of_adds();
+
 	return retval;
 }
--- a/tests/test4.expected
+++ b/tests/test4.expected