Fix reading buffer overflow in parse_string

DaveGamble · May 10, 2017 · a167d9e · a167d9e
1 parent b537ca7
commit a167d9e
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cJSON.c b/cJSON.c
@@ -657,7 +657,7 @@ static cJSON_bool parse_string(cJSON * const item, parse_buffer * const input_bu
         /* calculate approximate size of the output (overestimate) */
         size_t allocation_length = 0;
         size_t skipped_bytes = 0;
-        while ((*input_end != '\"') && ((size_t)(input_end - input_buffer->content) < input_buffer->length))
+        while (((size_t)(input_end - input_buffer->content) < input_buffer->length) && (*input_end != '\"'))
         {
             /* is escape sequence */
             if (input_end[0] == '\\')
@@ -672,7 +672,7 @@ static cJSON_bool parse_string(cJSON * const item, parse_buffer * const input_bu
             }
             input_end++;
         }
-        if (*input_end != '\"')
+        if (((size_t)(input_end - input_buffer->content) >= input_buffer->length) || (*input_end != '\"'))
         {
             goto fail; /* string ended unexpectedly */
         }