From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Mon, 6 Nov 2017 12:40:08 +0000 (+0200)
Subject: lib: json-parser - check for valid hex in unicode escape
X-Git-Tag: 2.3.0.rc1~495
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c980536af173efb82839bdd3d5ce2bfddac9fd9b;p=thirdparty%2Fdovecot%2Fcore.git

lib: json-parser - check for valid hex in unicode escape
---

diff --git a/src/lib/json-parser.c b/src/lib/json-parser.c
index 09964741ce..acece1acb5 100644
--- a/src/lib/json-parser.c
+++ b/src/lib/json-parser.c
@@ -205,6 +205,7 @@ static int json_skip_string(struct json_parser *parser)
 
 static int json_parse_unicode_escape(struct json_parser *parser)
 {
+	char chbuf[5] = {0};
 	unichar_t chr, hi_surg;
 
 	parser->data++;
@@ -213,7 +214,11 @@ static int json_parse_unicode_escape(struct json_parser *parser)
 		parser->data = parser->end;
 		return 0;
 	}
-	chr = hex2dec(parser->data, 4);
+	memcpy(chbuf, parser->data, 4);
+	if (str_to_uint32_hex(chbuf, &chr) < 0) {
+		parser->error = "Invalid unicode escape seen";
+		return -1;
+	}
 	if (UTF16_VALID_HIGH_SURROGATE(chr)) {
 		/* possible surrogate pair */
 		hi_surg = chr;
@@ -241,7 +246,11 @@ static int json_parse_unicode_escape(struct json_parser *parser)
 			}
 			/* error */
 		} else {
-			chr = hex2dec(&parser->data[2], 4);
+			memcpy(chbuf, &parser->data[2], 4);
+			if (str_to_uint32_hex(chbuf, &chr) < 0) {
+				parser->error = "Invalid unicode escape seen";
+				return -1;
+			}
 		}
 		if (parser->data[0] != '\\' || parser->data[1] != 'u' ||
 		    !UTF16_VALID_LOW_SURROGATE(chr)) {
diff --git a/src/lib/test-json-parser.c b/src/lib/test-json-parser.c
index eedeb8440a..403d81c60d 100644
--- a/src/lib/test-json-parser.c
+++ b/src/lib/test-json-parser.c
@@ -252,6 +252,7 @@ static void test_json_parser_errors(void)
 		"{\"foo\": 1},{}",
 		"{\"foo\": \"\\ud808\"}",
 		"{\"foo\": \"\\udfff\"}",
+		"{\"foo\": \"\\uyyyy\"}",
 	};
 	unsigned int i;