Fixed bug #3139678: stack buffer overflow when parsing a double with a length of 32 characters.

blep · blep · commit 99043b32b522 · 2011-05-01T15:47:38.000Z
diff --git a/NEWS.txt b/NEWS.txt
@@ -3,8 +3,9 @@
 
 * Compilation
 
-  - LD_LIBRARY_PATH and LIBRARY_PATH environment variables are now propagated to the build
-    environment as this is required for some compiler installation.
+  - LD_LIBRARY_PATH and LIBRARY_PATH environment variables are now 
+    propagated to the build environment as this is required for some 
+    compiler installation.
 
   - Added support for Microsoft Visual Studio 2008 (bug #2930462): 
     The platform "msvc90" has been added.
@@ -70,8 +71,11 @@
 
 * Bug fixes
 
-  - Bug #3139677: JSON [1 2 3] was incorrectly parsed as [1, 3]. Error is now correctly 
-    detected.
+  - Bug #3139677: JSON [1 2 3] was incorrectly parsed as [1, 3]. Error is now 
+    correctly detected.
+    
+  - Bug #3139678: stack buffer overflow when parsing a double with a
+    length of 32 characters.
 
 * License
   
diff --git a/src/lib_json/json_reader.cpp b/src/lib_json/json_reader.cpp
@@ -610,7 +610,7 @@ Reader::decodeDouble( Token &token )
    int length = int(token.end_ - token.start_);
    if ( length <= bufferSize )
    {
-      Char buffer[bufferSize];
+      Char buffer[bufferSize+1];
       memcpy( buffer, token.start_, length );
       buffer[length] = 0;
       count = sscanf( buffer, "%lf", &value );

Original file line number	Diff line number	Diff line change
`@@ -610,7 +610,7 @@ Reader::decodeDouble( Token &token )`
`610`	`610`	`int length = int(token.end_ - token.start_);`
`611`	`611`	`if ( length <= bufferSize )`
`612`	`612`	`{`
`613`		`- Char buffer[bufferSize];`
	`613`	`+ Char buffer[bufferSize+1];`
`614`	`614`	`memcpy( buffer, token.start_, length );`
`615`	`615`	`buffer[length] = 0;`
`616`	`616`	`count = sscanf( buffer, "%lf", &value );`