json BUGFIX out of bounds write in lyjson_number Count the base number minus in num_len when parsing negative JSON numbers with an exponent and no decimal point in lyjson_number. Add a regression test case, as the issue was found by fuzzing lyd_parse_mem_json. Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>

commit: c6166a02813e633e2cf31d62979036d814b8d1cd [log] [tgz]
author: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr> Mon Mar 01 11:38:40 2021 +0100
committer: Michal Vasko <mvasko@cesnet.cz> Mon Mar 01 14:10:12 2021 +0100
tree: e0f0b258b3f0bd1db34af1fdbc16060f1196b546
parent: 0e02e8e6bac490f007649e620f34c800da760732 [diff]
diff --git a/src/json.c b/src/json.c
index 09b6303..eb1e847 100644
--- a/src/json.c
+++ b/src/json.c

@@ -403,7 +403,7 @@
                 dp_position = exponent + e_val;
             } else {
                 /* adding decimal point before the integer with adding leading zero(s) */
-                num_len = labs(e_val) + 2;
+                num_len = labs(e_val) + 2 + minus;
                 dp_position = exponent + e_val;
             }
             dp_position -= minus;

diff --git a/tests/fuzz/corpus/lyd_parse_mem_json/pull11438 b/tests/fuzz/corpus/lyd_parse_mem_json/pull11438
new file mode 100644
index 0000000..d4722b2
--- /dev/null
+++ b/tests/fuzz/corpus/lyd_parse_mem_json/pull11438

@@ -0,0 +1 @@
+{"0R:0::809e-47,-689e-47,-689e-489e-47":[809e-47,-689e-47,-689e-4709e-47,-689e-47,-689e-489e-47":[809e-47,-689e-47,-689e-47647,-688Je7,-6889e647,-688Je7,-6889e-47"
\ No newline at end of file
commit	c6166a02813e633e2cf31d62979036d814b8d1cd	[log] [tgz]
author	Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>	Mon Mar 01 11:38:40 2021 +0100
committer	Michal Vasko <mvasko@cesnet.cz>	Mon Mar 01 14:10:12 2021 +0100
tree	e0f0b258b3f0bd1db34af1fdbc16060f1196b546
parent	0e02e8e6bac490f007649e620f34c800da760732 [diff]