cJSONUtils_ApplyPatches: Don't accept invalid array indices

a1602f48 · Max Bruckner · d058a9cd · a1602f48
隐藏空白更改
内联并排

Showing with 19 addition and 1 deletion

cJSON_Utils.c cJSON_Utils.c +19 -1

未找到文件。
--- a/cJSON_Utils.c
+++ b/cJSON_Utils.c
@@ -543,7 +543,25 @@ static int cJSONUtils_ApplyPatch(cJSON *object, cJSON *patch)
        }
        else
        {
-            if (!insert_item_in_array(parent, (size_t)atoi((char*)childptr), value))
+            char *end_pointer = NULL;
+            long int index = strtol((char*)childptr, &end_pointer, 10);
+            if ((unsigned char*)end_pointer == childptr)
+            {
+                /* failed to parse numeric array index */
+                free(parentptr);
+                cJSON_Delete(value);
+                return 11;
+            }
+
+            if ((index < 0) || (*end_pointer != '\0'))
+            {
+                /* array index is invalid */
+                free(parentptr);
+                cJSON_Delete(value);
+                return 12;
+            }
+
+            if (!insert_item_in_array(parent, (size_t)index, value))
            {
                free(parentptr);
                cJSON_Delete(value);