From 5b1bd849023bcbf495cdb91eef9552734efb9ca2 Mon Sep 17 00:00:00 2001
From: Arun Raghavan <arun@arunraghavan.net>
Date: Wed, 1 Jun 2016 17:18:35 +0530
Subject: json: Handle error cases while parsing numbers

Signed-off-by: Arun Raghavan <arun@arunraghavan.net>
---
 src/pulse/json.c      | 27 ++++++++++++++++++++++++++-
 src/tests/json-test.c |  4 ++++
 2 files changed, 30 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/pulse/json.c b/src/pulse/json.c
index d77c7adcd..3c89a85e5 100644
--- a/src/pulse/json.c
+++ b/src/pulse/json.c
@@ -194,7 +194,7 @@ error:
 }
 
 static const char* parse_number(const char *str, pa_json_object *obj) {
-    bool negative = false, has_fraction = false, has_exponent = false;
+    bool negative = false, has_fraction = false, has_exponent = false, valid = false;
     unsigned int integer = 0;
     unsigned int fraction = 0;
     unsigned int fraction_digits = 0;
@@ -206,11 +206,14 @@ static const char* parse_number(const char *str, pa_json_object *obj) {
     }
 
     if (*str == '0') {
+        valid = true;
         str++;
         goto fraction;
     }
 
     while (is_digit(*str)) {
+        valid = true;
+
         if (integer > ((negative ? INT_MAX : UINT_MAX) / 10)) {
             pa_log("Integer overflow while parsing number");
             goto error;
@@ -221,11 +224,20 @@ static const char* parse_number(const char *str, pa_json_object *obj) {
     }
 
 fraction:
+
+    if (!valid) {
+        pa_log("Missing digits while parsing number");
+        goto error;
+    }
+
     if (*str == '.') {
         has_fraction = true;
         str++;
+        valid = false;
 
         while (is_digit(*str)) {
+            valid = true;
+
             if (fraction > (UINT_MAX / 10)) {
                 pa_log("Integer overflow while parsing fractional part of number");
                 goto error;
@@ -235,6 +247,11 @@ fraction:
             fraction_digits++;
             str++;
         }
+
+        if (!valid) {
+            pa_log("No digit after '.' while parsing fraction");
+            goto error;
+        }
     }
 
     if (*str == 'e' || *str == 'E') {
@@ -242,6 +259,7 @@ fraction:
 
         has_exponent = true;
         str++;
+        valid = false;
 
         if (*str == '-') {
             exponent_negative = true;
@@ -250,6 +268,8 @@ fraction:
             str++;
 
         while (is_digit(*str)) {
+            valid = true;
+
             if (exponent > (INT_MAX / 10)) {
                 pa_log("Integer overflow while parsing exponent part of number");
                 goto error;
@@ -259,6 +279,11 @@ fraction:
             str++;
         }
 
+        if (!valid) {
+            pa_log("No digit in exponent while parsing fraction");
+            goto error;
+        }
+
         if (exponent_negative)
             exponent *= -1;
     }
diff --git a/src/tests/json-test.c b/src/tests/json-test.c
index a5f1f74cc..ca92877c0 100644
--- a/src/tests/json-test.c
+++ b/src/tests/json-test.c
@@ -223,6 +223,10 @@ START_TEST(bad_test) {
         "123456789012345678901234567890" /* Overflow */,
         "0.123456789012345678901234567890" /* Overflow */,
         "1e123456789012345678901234567890" /* Overflow */,
+        "1e" /* Bad number string */,
+        "1." /* Bad number string */,
+        "1.e3" /* Bad number string */,
+        "-" /* Bad number string */,
     };
 
     for (i = 0; i < PA_ELEMENTSOF(bad_parse); i++) {
-- 
cgit v1.2.3