Package: libjson0 Version: 0.10-1.1 Severity: important If the input JSON contains empty value (i.e. "") The internal string buffer is unterminated and unexpected behaviour occours.
If the unicode value \u0000 appears in the input the string is terminated early and the string is truncated. The attached patch fixes these issues. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.2.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libjson0 depends on: ii libc6 2.13-33 ii multiarch-support 2.13-33 libjson0 recommends no packages. libjson0 suggests no packages. -- no debconf information
Index: json-c-0.10/json_object.c =================================================================== --- json-c-0.10.orig/json_object.c 2012-04-29 10:55:43.000000000 -0700 +++ json-c-0.10/json_object.c 2012-08-30 11:26:08.000000000 -0700 @@ -531,8 +531,9 @@ if(!jso) return NULL; jso->_delete = &json_object_string_delete; jso->_to_json_string = &json_object_string_to_json_string; - jso->o.c_string.str = malloc(len); + jso->o.c_string.str = malloc(len + 1); memcpy(jso->o.c_string.str, (void *)s, len); + jso->o.c_string.str[len] = '\0'; jso->o.c_string.len = len; return jso; } Index: json-c-0.10/json_tokener.c =================================================================== --- json-c-0.10.orig/json_tokener.c 2012-04-29 10:55:43.000000000 -0700 +++ json-c-0.10/json_tokener.c 2012-08-30 11:22:29.000000000 -0700 @@ -387,7 +387,7 @@ while(1) { if(c == tok->quote_char) { printbuf_memappend_fast(tok->pb, case_start, str-case_start); - current = json_object_new_string(tok->pb->buf); + current = json_object_new_string_len(tok->pb->buf, tok->pb->bpos); saved_state = json_tokener_state_finish; state = json_tokener_state_eatws; break;