Mercurial > vim
view src/json_test.c @ 33262:6eac4f616293 v9.0.1899
patch 9.0.1899: potential buffer overflow in PBYTE macro
Commit: https://github.com/vim/vim/commit/ffb13674d1af1c90beb229867ec989e4fb232df3
Author: Christian Brabandt <cb@256bit.org>
Date: Fri Sep 15 20:22:02 2023 +0200
patch 9.0.1899: potential buffer overflow in PBYTE macro
Problem: potential buffer overflow in PBYTE macro
Solution: Check returned memline length
closes: #13083
the PBYTE macro is used to put byte c at a position lp of the returned
memline. However, in case of unexpected errors ml_get_buf() may return
either "???" or an empty line in which case it is quite likely that we
are causing a buffer overrun.
Therefore, switch the macro PBYTE (which is only used in ops.c anyhow)
to a function, that verifies that we will only try to access within the
given length of the buffer.
Also, since the macro is only used in ops.c, move the definition from
macros.h to ops.c
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Fri, 15 Sep 2023 20:30:07 +0200 |
parents | f41b55f9357c |
children |
line wrap: on
line source
/* vi:set ts=8 sts=4 sw=4 noet: * * VIM - Vi IMproved by Bram Moolenaar * * Do ":help uganda" in Vim to read copying and usage conditions. * Do ":help credits" in Vim to see a list of people who contributed. * See README.txt for an overview of the Vim source code. */ /* * json_test.c: Unittests for json.c */ #undef NDEBUG #include <assert.h> // Must include main.c because it contains much more than just main() #define NO_VIM_MAIN #include "main.c" // This file has to be included because the tested functions are static #include "json.c" #if defined(FEAT_EVAL) /* * Test json_find_end() with incomplete items. */ static void test_decode_find_end(void) { js_read_T reader; reader.js_fill = NULL; reader.js_used = 0; // string and incomplete string reader.js_buf = (char_u *)"\"hello\""; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" \"hello\" "; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"\"hello"; assert(json_find_end(&reader, 0) == MAYBE); // number and dash (incomplete number) reader.js_buf = (char_u *)"123"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"-"; assert(json_find_end(&reader, 0) == MAYBE); // false, true and null, also incomplete reader.js_buf = (char_u *)"false"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"f"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"fa"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"fal"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"fals"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"true"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"t"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"tr"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"tru"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"null"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"n"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"nu"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"nul"; assert(json_find_end(&reader, 0) == MAYBE); // object without white space reader.js_buf = (char_u *)"{\"a\":123}"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"{\"a\":123"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"{\"a\":"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"{\"a\""; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"{\"a"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"{\""; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"{"; assert(json_find_end(&reader, 0) == MAYBE); // object with white space reader.js_buf = (char_u *)" { \"a\" : 123 } "; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" { \"a\" : 123 "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" { \"a\" : "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" { \"a\" "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" { \"a "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" { "; assert(json_find_end(&reader, 0) == MAYBE); // JS object with white space reader.js_buf = (char_u *)" { a : 123 } "; assert(json_find_end(&reader, JSON_JS) == OK); reader.js_buf = (char_u *)" { a : "; assert(json_find_end(&reader, JSON_JS) == MAYBE); // array without white space reader.js_buf = (char_u *)"[\"a\",123]"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)"[\"a\",123"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"[\"a\","; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"[\"a\""; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"[\"a"; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"[\""; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)"["; assert(json_find_end(&reader, 0) == MAYBE); // array with white space reader.js_buf = (char_u *)" [ \"a\" , 123 ] "; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" [ \"a\" , 123 "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" [ \"a\" , "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" [ \"a\" "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" [ \"a "; assert(json_find_end(&reader, 0) == MAYBE); reader.js_buf = (char_u *)" [ "; assert(json_find_end(&reader, 0) == MAYBE); } static int fill_from_cookie(js_read_T *reader) { reader->js_buf = reader->js_cookie; return TRUE; } /* * Test json_find_end with an incomplete array, calling the fill function. */ static void test_fill_called_on_find_end(void) { js_read_T reader; reader.js_fill = fill_from_cookie; reader.js_used = 0; reader.js_buf = (char_u *)" [ \"a\" , 123 "; reader.js_cookie = " [ \"a\" , 123 ] "; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" [ \"a\" , "; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" [ \"a\" "; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" [ \"a"; assert(json_find_end(&reader, 0) == OK); reader.js_buf = (char_u *)" [ "; assert(json_find_end(&reader, 0) == OK); } /* * Test json_find_end with an incomplete string, calling the fill function. */ static void test_fill_called_on_string(void) { js_read_T reader; reader.js_fill = fill_from_cookie; reader.js_used = 0; reader.js_buf = (char_u *)" \"foo"; reader.js_end = reader.js_buf + STRLEN(reader.js_buf); reader.js_cookie = " \"foobar\" "; assert(json_decode_string(&reader, NULL, '"') == OK); } #endif int main(void) { #if defined(FEAT_EVAL) test_decode_find_end(); test_fill_called_on_find_end(); test_fill_called_on_string(); #endif return 0; }