json BUGFIX buf heap overflow in lyjson_string_ fix a heap buffer overflow in lyjson_string_, where the output buffer buf was incremented only once if it didn't have enough space. If the output was still larger than the buffer, the size wasn't incremented and a overflow would occur.

commit: d746a3504ed857e30a8cd94b9434de1a42003bb5 [log] [tgz]
author: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr> Fri Jan 15 11:33:33 2021 +0100
committer: Radek Krejci <rkrejci@cesnet.cz> Mon Jan 18 14:26:44 2021 +0100
tree: 7860ca34b8133cb568a568a549a675aaa013eb60
parent: ec285cd6053f72136e940ba97f6f154c0df1319e [diff] [blame]
diff --git a/src/json.c b/src/json.c
index 95c5bda..e52b3de 100644
--- a/src/json.c
+++ b/src/json.c

@@ -169,7 +169,9 @@
              * we will need 4 bytes at most since we support only the predefined
              * (one-char) entities and character references */
             if (len + offset + 4 >= size) {
-                buf = ly_realloc(buf, size + BUFSIZE_STEP);
+                size_t increment;
+                for (increment = BUFSIZE_STEP; len + offset + 4 >= size + increment; increment += BUFSIZE_STEP) ;
+                buf = ly_realloc(buf, size + increment);
                 LY_CHECK_ERR_RET(!buf, LOGMEM(jsonctx->ctx), LY_EMEM);
                 size += BUFSIZE_STEP;
             }
commit	d746a3504ed857e30a8cd94b9434de1a42003bb5	[log] [tgz]
author	Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>	Fri Jan 15 11:33:33 2021 +0100
committer	Radek Krejci <rkrejci@cesnet.cz>	Mon Jan 18 14:26:44 2021 +0100
tree	7860ca34b8133cb568a568a549a675aaa013eb60
parent	ec285cd6053f72136e940ba97f6f154c0df1319e [diff] [blame]