Merge commit from fork

byroot · web-flow · commit b20a9fbeb7d3 · 2025-03-12T14:04:03.000+01:00
Fix potential out of bound read in `json_string_unescape`.
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,6 @@
 # Changes
 
+* Fix a potential crash in the C extension parser.
 * Raise a ParserError on all incomplete unicode escape sequence. This was the behavior until `2.10.0` unadvertently changed it.
 * Ensure document snippets that are included in parser errors don't include truncated multibyte characters.
 
diff --git a/ext/json/ext/parser/parser.c b/ext/json/ext/parser/parser.c
@@ -608,7 +608,7 @@ static VALUE json_string_unescape(JSON_ParserState *state, const char *string, c
     buffer = RSTRING_PTR(result);
     bufferStart = buffer;
 
-    while ((pe = memchr(pe, '\\', stringEnd - pe))) {
+    while (pe < stringEnd && (pe = memchr(pe, '\\', stringEnd - pe))) {
         unescape = (char *) "?";
         unescape_len = 1;
         if (pe > p) {
diff --git a/test/json/json_parser_test.rb b/test/json/json_parser_test.rb
@@ -673,6 +673,13 @@ def test_parse_leading_slash
     end
   end
 
+  def test_parse_malformated_unicode_escapes
+    assert_equal "�|", JSON.parse('"\\u1gef|"')
+    assert_equal "�|", JSON.parse('"\\u12ge|"')
+    assert_equal "�|", JSON.parse('"\\u123g|"')
+    assert_equal '�\\\\"', JSON.parse('"\\u1\\\\\\\\\\\\\\\\"')
+  end
+
   private
 
   def string_deduplication_available?
