Fix decode_pointer_inplace ~1 escape and minify_string escape handling#993
Open
srijan-at-qwertystars wants to merge 1 commit intoDaveGamble:masterfrom
Open
Conversation
Two bugs fixed: 1. cJSON_Utils.c decode_pointer_inplace(): The ~1 JSON Pointer escape (RFC 6901 §3) was writing to decoded_string[1] instead of decoded_string[0], causing incorrect decoding. Additionally, non-escape characters after escape sequences were not being copied when the decoded output pointer fell behind the input pointer. This caused JSON Patch operations with ~1 in paths to silently fail or operate on wrong keys. 2. cJSON.c minify_string(): The escape handling only checked for \" (escaped quote) but not \\ (escaped backslash) or other escapes. A string ending with \\ caused the closing quote to be misidentified as an escaped quote, making the function read past the string boundary and absorb subsequent JSON tokens into the string value. Both fixes are minimal and include bounds checking. All 19 existing tests pass with these changes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two correctness bugs fixed in escape sequence handling:
Bug 1:
decode_pointer_inplace()incorrect~1decoding (cJSON_Utils.c)Per RFC 6901 §3, the
~1escape in JSON Pointers must decode to/. The current code writes todecoded_string[1]instead ofdecoded_string[0](line 377), causing the decoded character to be placed at the wrong offset.Additionally, when
decoded_stringfalls behindstringafter processing an escape, subsequent non-escape characters are not copied to the output position.Impact: JSON Patch operations (
cJSONUtils_ApplyPatches) with~1in path components silently fail or operate on wrong object keys.Reproduction:
Bug 2:
minify_string()doesn't handle\\\\escape (cJSON.c)The escape check in
minify_string()only handles\\\"(escaped quote) but not other JSON escapes like\\\\(escaped backslash). When a JSON string ends with\\\\, the closing"is misidentified as an escaped quote, causing the function to read past the string boundary and absorb subsequent JSON tokens into the string.Impact:
cJSON_Minifyproduces incorrect output for JSON containing strings that end with escaped backslashes.Reproduction:
Changes
cJSON_Utils.c: Fixdecoded_string[1]→decoded_string[0]for~1case; addelseclause to copy non-escape characterscJSON.c: Change escape check from(*input)[1] == '"'to(*input)[1] != '\0'to handle all escape sequencesTesting
All 19 existing tests pass. Both fixes are minimal (6 lines added, 2 lines changed).