commit 46eb15ec20af3ae28ed57c07eccce44c9da357a7
author Juraj Vijtiuk <juraj.vijtiuk@sartura.hr> Mon Sep 06 15:38:36 2021 +0200
committer Michal Vasko <mvasko@cesnet.cz> Tue Sep 07 13:32:43 2021 +0200
tree 069f5fecc12fd16b1a73407a57ce51447f7481d5
parent d44afd8958929eb4268c6968809f9a5668ff0131

parser json BUGFIX decrease sublevels when skipping empty arrays and objects in lydjson_data_skip

If lydjson_data_skip encountered an open object with a nested empty
object it would increment the sublevel when the empty object was opened,
but wouldn't decrement the sublevel when it was closed, as it only
checked for LYJSON_OBJECT_CLOSE and not LYJSON_EMPTY_OBJECT.

This could result in lydjson_data_skip continuing to parse the input
resulting in invalid state in its caller.

The same issue would happen with empty arrays.

This issue was found by OSS-Fuzz in lyd_parse_mem_json.

Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>

src/parser_json.c

diff --git a/src/parser_json.c b/src/parser_json.c
index e9cbfe9..095705b 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -290,7 +290,9 @@
         LY_CHECK_RET(lyjson_ctx_next(jsonctx, &current));
         if (current == status) {
             sublevels++;
-        } else if (current == status + 1) {
+        } else if ((status == LYJSON_OBJECT) && ((current == LYJSON_OBJECT_CLOSED) || (current == LYJSON_OBJECT_EMPTY))) {
+            sublevels--;
+        } else if ((status == LYJSON_ARRAY) && ((current == LYJSON_ARRAY_CLOSED) || (current == LYJSON_ARRAY_EMPTY))) {
             sublevels--;
         }
     } while (current != status + 1 || sublevels);