[git] GPGME - branch, master, updated. gpgme-1.11.1-91-g013a7f4

by Werner Koch cvs at cvs.gnupg.org
Mon Jul 16 12:46:11 CEST 2018 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GnuPG Made Easy".

The branch, master has been updated
       via  013a7f47ab486c380b3c97637d3b15f11de74fe8 (commit)
      from  1bb3f8409d4bbec403bea768184a691d9d7ea42d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 013a7f47ab486c380b3c97637d3b15f11de74fe8
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Jul 16 12:34:52 2018 +0200

    json: Fix buffer overflow in cJSON.c
    
    * src/cJSON.c (parse_string): Correctly detect bad hex.
    --
    
    The call to parse_hex4 checks that only hex digits follow and in the
    error case returns 0.  However, by the time of the combined check for
    an invalid value and the error PTR has already been set to the last
    hex character and thus if the end-of-string or a quote character was
    one of the bad hex digits the loop will miss the end of the string
    which does not match with the simple buffer length allocation test at
    the begin of the function.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/src/cJSON.c b/src/cJSON.c
index 38cb152..610ff92 100644
--- a/src/cJSON.c
+++ b/src/cJSON.c
@@ -275,17 +275,22 @@ parse_string (cJSON * item, const char *str, const char **ep)
 	      break;
 	    case 'u':		/* transcode utf16 to utf8. */
 	      uc = parse_hex4 (ptr + 1);
+              if (!uc)
+                break;          /* Bad hex; continue right after the 'u'. */
 	      ptr += 4;		/* get the unicode char. */
 
-	      if ((uc >= 0xDC00 && uc <= 0xDFFF) || uc == 0)
+	      if ((uc >= 0xDC00 && uc <= 0xDFFF))
 		break;		/* check for invalid.   */
 
 	      if (uc >= 0xD800 && uc <= 0xDBFF)	/* UTF16 surrogate pairs. */
 		{
 		  if (ptr[1] != '\\' || ptr[2] != 'u')
 		    break;	/* missing second-half of surrogate.    */
-		  uc2 = parse_hex4 (ptr + 3);
-		  ptr += 6;
+                  ptr += 2;
+		  uc2 = parse_hex4 (ptr + 1);
+                  if (!uc2)
+                    break;      /* Bad hex; continue right after the 'u'. */
+		  ptr += 4;
 		  if (uc2 < 0xDC00 || uc2 > 0xDFFF)
 		    break;	/* invalid second-half of surrogate.    */
 		  uc = 0x10000 + (((uc & 0x3FF) << 10) | (uc2 & 0x3FF));

-----------------------------------------------------------------------

Summary of changes:
 src/cJSON.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)


hooks/post-receive
-- 
GnuPG Made Easy
http://git.gnupg.org

More information about the Gnupg-commits mailing list