Mercurial > vim

diff src/json.c @ 13456:7495e3ee1a69 v8.0.1602

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.0.1602: crash in parsing JSON commit https://github.com/vim/vim/commit/625f0c1eb75da08229843fa393b1ee4e6547d285 Author: Bram Moolenaar <Bram@vim.org> Date: Tue Mar 13 13:10:41 2018 +0100 patch 8.0.1602: crash in parsing JSON Problem: Crash in parsing JSON. Solution: Fail when using array or dict as dict key. (Damien)
author Christian Brabandt <cb@256bit.org>
date Tue, 13 Mar 2018 13:15:06 +0100
parents c35d266308c2
children e76499e85744
line wrap: on
line diff
--- a/src/json.c
+++ b/src/json.c
@@ -621,7 +621,9 @@ json_decode_item(js_read_T *reader, typv
 	if (top_item != NULL && top_item->jd_type == JSON_OBJECT_KEY
 		&& (options & JSON_JS)
 		&& reader->js_buf[reader->js_used] != '"'
-		&& reader->js_buf[reader->js_used] != '\'')
+		&& reader->js_buf[reader->js_used] != '\''
+		&& reader->js_buf[reader->js_used] != '['
+		&& reader->js_buf[reader->js_used] != '{')
 	{
 	    char_u *key;
 
@@ -642,6 +644,11 @@ json_decode_item(js_read_T *reader, typv
 	    switch (*p)
 	    {
 		case '[': /* start of array */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
@@ -668,6 +675,11 @@ json_decode_item(js_read_T *reader, typv
 		    continue;
 
 		case '{': /* start of object */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;