Detect end of input inside an unfinished JSON string

Jay Berkenbilt
1 parent 3490090f
Showing 4 changed files with 11 additions and 3 deletions
fuzz/json_fuzzer_seed_corpus/9bc1baa450a0977fb3ac06c1ddb3fc2d4c05a5ce
fuzz/qtest/fuzz.test
libqpdf/JSON.cc
libtests/json.cc
+{"qpdf":[{},{"obj:1 0 R":{"stream":{"data":"
 \ No newline at end of file
@@ -16,7 +16,7 @@ my @fuzzers = (
     ['dct' => 1],
     ['flate' => 1],
     ['hex' => 1],
-    ['json' => 39],
+    ['json' => 40],
     ['lzw' => 2],
     ['pngpredictor' => 1],
     ['runlength' => 6],
@@ -628,6 +628,7 @@ namespace
             ls_number_e_sign,
             ls_alpha,
             ls_string,
+            ls_after_string,
             ls_backslash,
             ls_u4,
             ls_begin_array,
@@ -1039,7 +1040,7 @@ JSONParser::getToken()
                             "JSON: offset " + std::to_string(high_offset) +
                             ": UTF-16 high surrogate not followed by low surrogate");
                     }
-                    ignore();
+                    ignore(ls_after_string);
                     return;
                 } else if (*p == '\\') {
                     ignore(ls_backslash);
@@ -1234,7 +1235,7 @@ JSONParser::handleToken()
         }
         break;
  
-    case ls_string:
+    case ls_after_string:
         if (parser_state == ps_dict_begin || parser_state == ps_dict_after_comma) {
             dict_key = token;
             dict_key_offset = token_start;
@@ -134,6 +134,12 @@ test_main()
         "  \"normal\": \"string\"\n"
         "}");
  
+    try {
+        JSON::parse("\"");
+        assert(false);
+    } catch (std::runtime_error&) {
+    }
+
     // Check default constructed JSON object (order as per JSON.hh).
     JSON uninitialized;
     std::string ws;