Fix #189, ensure returns an invalid pointer

If realloc returns NULL, ensure didn't abort but returned printbuffer.offset instead. If an attacker can control printbuffer.offset and also make realloc fail at just the right moment, this would make cJSON potentially write at an arbitrary memory address.
2023-08-10 21:13:26 +03:00 · 2017-07-12 22:58:06 +02:00
parent ecdff7837c
commit 954d61e5e7
2 changed files with 25 additions and 1 deletions
--- a/cJSON.c
+++ b/cJSON.c
@ -377,6 +377,14 @@ static unsigned char* ensure(printbuffer * const p, size_t needed)
    {
        /* reallocate with realloc if available */
        newbuffer = (unsigned char*)p->hooks.reallocate(p->buffer, newsize);
+        if (newbuffer == NULL)
+        {
+            p->hooks.deallocate(p->buffer);
+            p->length = 0;
+            p->buffer = NULL;
+
+            return NULL;
+        }
    }
    else
    {