json BUGFIX buf heap overflow in lyjson_string_
fix a heap buffer overflow in lyjson_string_, where the output buffer
buf was incremented only once if it didn't have enough space. If the
output was still larger than the buffer, the size wasn't incremented
and a overflow would occur.
diff --git a/src/json.c b/src/json.c
index 95c5bda..e52b3de 100644
--- a/src/json.c
+++ b/src/json.c
@@ -169,7 +169,9 @@
* we will need 4 bytes at most since we support only the predefined
* (one-char) entities and character references */
if (len + offset + 4 >= size) {
- buf = ly_realloc(buf, size + BUFSIZE_STEP);
+ size_t increment;
+ for (increment = BUFSIZE_STEP; len + offset + 4 >= size + increment; increment += BUFSIZE_STEP) ;
+ buf = ly_realloc(buf, size + increment);
LY_CHECK_ERR_RET(!buf, LOGMEM(jsonctx->ctx), LY_EMEM);
size += BUFSIZE_STEP;
}