Avoid reading past datum end when parsing JSON.

Several loops in the JSON parser examined a byte in memory just before
checking whether its address was in-bounds, so they could read one byte
beyond the datum's allocation.  A SIGSEGV is possible.  New in 9.3, so
no back-patch.

diff --git a/src/backend/utils/adt/json.c b/src/backend/utils/adt/json.c
index a1c7f51efaa664d3d6e2a6a3c79b34461c58a3d6..a231736345223532c40965bfb8f2f4f221551634 100644 (file)
--- a/src/backend/utils/adt/json.c
+++ b/src/backend/utils/adt/json.c
@@ -598,7 +598,7 @@ json_lex(JsonLexContext *lex)
                     * the whole word as an unexpected token, rather than just
                     * some unintuitive prefix thereof.
                     */
-                   for (p = s; JSON_ALPHANUMERIC_CHAR(*p) && p - s < lex->input_length - len; p++)
+                   for (p = s; p - s < lex->input_length - len && JSON_ALPHANUMERIC_CHAR(*p); p++)
                         /* skip */ ;
 
                    /*
@@ -651,16 +651,21 @@ json_lex_string(JsonLexContext *lex)
    if (lex->strval != NULL)
        resetStringInfo(lex->strval);
 
+   Assert(lex->input_length > 0);
+   s = lex->token_start;
    len = lex->token_start - lex->input;
-   len++;
-   for (s = lex->token_start + 1; *s != '"'; s++, len++)
+   for (;;)
    {
+       s++;
+       len++;
        /* Premature end of the string. */
        if (len >= lex->input_length)
        {
            lex->token_terminator = s;
            report_invalid_token(lex);
        }
+       else if (*s == '"')
+           break;
        else if ((unsigned char) *s < 32)
        {
            /* Per RFC4627, these characters MUST be escaped. */
@@ -921,7 +926,7 @@ json_lex_number(JsonLexContext *lex, char *s)
        {
            s++;
            len++;
-       } while (*s >= '0' && *s <= '9' && len < lex->input_length);
+       } while (len < lex->input_length && *s >= '0' && *s <= '9');
    }
    else
        error = true;
@@ -939,7 +944,7 @@ json_lex_number(JsonLexContext *lex, char *s)
            {
                s++;
                len++;
-           } while (*s >= '0' && *s <= '9' && len < lex->input_length);
+           } while (len < lex->input_length && *s >= '0' && *s <= '9');
        }
    }
 
@@ -970,7 +975,7 @@ json_lex_number(JsonLexContext *lex, char *s)
     * here should be considered part of the token for error-reporting
     * purposes.
     */
-   for (p = s; JSON_ALPHANUMERIC_CHAR(*p) && len < lex->input_length; p++, len++)
+   for (p = s; len < lex->input_length && JSON_ALPHANUMERIC_CHAR(*p); p++, len++)
        error = true;
    lex->prev_token_terminator = lex->token_terminator;
    lex->token_terminator = p;
@@ -1138,8 +1143,8 @@ report_json_context(JsonLexContext *lex)
    line_number = 1;
    for (;;)
    {
-       /* Always advance over newlines (context_end test is just paranoia) */
-       if (*context_start == '\n' && context_start < context_end)
+       /* Always advance over newlines */
+       if (context_start < context_end && *context_start == '\n')
        {
            context_start++;
            line_start = context_start;