From 4eb5d05f018bc568580c85f17ddb304fcec364ca Mon Sep 17 00:00:00 2001
From: ZyX <kp-pav@yandex.ru>
Date: Mon, 7 Mar 2016 07:10:38 +0300
Subject: eval/decode: Avoid overflow when parsing incomplete null/true/false

Note: second test does not crash or produce asan errors, even though it should.
---
 src/nvim/eval/decode.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/nvim/eval/decode.c')

diff --git a/src/nvim/eval/decode.c b/src/nvim/eval/decode.c
index fc6e912c20..35e8421716 100644
--- a/src/nvim/eval/decode.c
+++ b/src/nvim/eval/decode.c
@@ -334,7 +334,7 @@ json_decode_string_cycle_start:
         continue;
       }
       case 'n': {
-        if (strncmp(p + 1, "ull", 3) != 0) {
+        if ((p + 3) >= e || strncmp(p + 1, "ull", 3) != 0) {
           EMSG2(_("E474: Expected null: %s"), p);
           goto json_decode_string_fail;
         }
@@ -347,7 +347,7 @@ json_decode_string_cycle_start:
         break;
       }
       case 't': {
-        if (strncmp(p + 1, "rue", 3) != 0) {
+        if ((p + 3) >= e || strncmp(p + 1, "rue", 3) != 0) {
           EMSG2(_("E474: Expected true: %s"), p);
           goto json_decode_string_fail;
         }
@@ -360,7 +360,7 @@ json_decode_string_cycle_start:
         break;
       }
       case 'f': {
-        if (strncmp(p + 1, "alse", 4) != 0) {
+        if ((p + 4) >= e || strncmp(p + 1, "alse", 4) != 0) {
           EMSG2(_("E474: Expected false: %s"), p);
           goto json_decode_string_fail;
         }
-- 
cgit