Merge remote-tracking branch 'ConradIrwin/fix-buffer-overread' into HEAD

kstenerud · Apr 21, 2015 · 76836a3 · 76836a3
2 parents db2e9d3 + 85fadf4
commit 76836a3
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/Source/KSCrash/Recording/Tools/KSJSONCodec.c b/Source/KSCrash/Recording/Tools/KSJSONCodec.c
@@ -1137,8 +1137,19 @@ int ksjsoncodec_i_decodeElement(const char** ptr,
                 return KSJSON_ERROR_INCOMPLETE;
             }
 
+            // our buffer is not necessarily NULL-terminated, so
+            // it would be undefined to call sscanf/sttod etc. directly.
+            // instead we create a temporary string.
             double value;
-            sscanf(start, "%lg", &value);
+            size_t len = (*ptr - start);
+            char * buf = malloc(len + 1);
+            strncpy(buf, start, len);
+            buf[len] = '\0';
+
+            sscanf(buf, "%lg", &value);
+
+            free(buf);
+
             value *= sign;
             return callbacks->onFloatingPointElement(name, value, userData);
         }