41 lines
1.3 KiB
Diff
41 lines
1.3 KiB
Diff
Fix for CVE-2025-40928
|
|
|
|
Fix heap overflow causing crashes, possibly information disclosure or
|
|
worse (CVE-2025-40928), and causes JSON::XS to accept invalid JSON texts
|
|
as valid in some cases.
|
|
|
|
diff -up JSON-XS-3.04/XS.xs.cve JSON-XS-3.04/XS.xs
|
|
--- JSON-XS-3.04/XS.xs.cve 2017-08-17 03:54:33.000000000 +0200
|
|
+++ JSON-XS-3.04/XS.xs 2025-09-15 13:09:42.314411248 +0200
|
|
@@ -247,16 +247,16 @@ json_atof_scan1 (const char *s, NV *accu
|
|
// if we recurse too deep, skip all remaining digits
|
|
// to avoid a stack overflow attack
|
|
if (expect_false (--maxdepth <= 0))
|
|
- while (((U8)*s - '0') < 10)
|
|
+ while (*s >= '0' && *s <= '9')
|
|
++s;
|
|
|
|
for (;;)
|
|
{
|
|
- U8 dig = (U8)*s - '0';
|
|
+ U8 dig = *s - '0';
|
|
|
|
if (expect_false (dig >= 10))
|
|
{
|
|
- if (dig == (U8)((U8)'.' - (U8)'0'))
|
|
+ if (dig == (U8)('.' - '0'))
|
|
{
|
|
++s;
|
|
json_atof_scan1 (s, accum, expo, 1, maxdepth);
|
|
@@ -276,8 +276,8 @@ json_atof_scan1 (const char *s, NV *accu
|
|
else if (*s == '+')
|
|
++s;
|
|
|
|
- while ((dig = (U8)*s - '0') < 10)
|
|
- exp2 = exp2 * 10 + *s++ - '0';
|
|
+ while (*s >= '0' && *s <= '9')
|
|
+ exp2 = exp2 * 10 + (*s++ - '0');
|
|
|
|
*expo += neg ? -exp2 : exp2;
|
|
}
|