From 716a6c2a985ba8da8d33eabbc6c520f9297a65db Mon Sep 17 00:00:00 2001
From: Srijan Guchhait <62981066+qwertystars@users.noreply.github.com>
Date: Sat, 14 Mar 2026 15:39:57 +0000
Subject: [PATCH] Fix decode_pointer_inplace ~1 escape and minify_string escape
 handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two bugs fixed:

1. cJSON_Utils.c decode_pointer_inplace(): The ~1 JSON Pointer escape
   (RFC 6901 §3) was writing to decoded_string[1] instead of
   decoded_string[0], causing incorrect decoding. Additionally,
   non-escape characters after escape sequences were not being copied
   when the decoded output pointer fell behind the input pointer.
   This caused JSON Patch operations with ~1 in paths to silently
   fail or operate on wrong keys.

2. cJSON.c minify_string(): The escape handling only checked for \"
   (escaped quote) but not \\ (escaped backslash) or other escapes.
   A string ending with \\ caused the closing quote to be
   misidentified as an escaped quote, making the function read past
   the string boundary and absorb subsequent JSON tokens into the
   string value.

Both fixes are minimal and include bounds checking. All 19 existing
tests pass with these changes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 cJSON.c       | 2 +-
 cJSON_Utils.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cJSON.c b/cJSON.c
index 88c2d95b..d24d5984 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -2913,7 +2913,7 @@ static void minify_string(char **input, char **output) {
             *input += static_strlen("\"");
             *output += static_strlen("\"");
             return;
-        } else if (((*input)[0] == '\\') && ((*input)[1] == '\"')) {
+        } else if (((*input)[0] == '\\') && ((*input)[1] != '\0')) {
             (*output)[1] = (*input)[1];
             *input += static_strlen("\"");
             *output += static_strlen("\"");
diff --git a/cJSON_Utils.c b/cJSON_Utils.c
index 8fa24f8e..233799f1 100644
--- a/cJSON_Utils.c
+++ b/cJSON_Utils.c
@@ -374,7 +374,7 @@ static void decode_pointer_inplace(unsigned char *string)
             }
             else if (string[1] == '1')
             {
-                decoded_string[1] = '/';
+                decoded_string[0] = '/';
             }
             else
             {
@@ -384,6 +384,10 @@ static void decode_pointer_inplace(unsigned char *string)
 
             string++;
         }
+        else
+        {
+            decoded_string[0] = string[0];
+        }
     }
 
     decoded_string[0] = '\0';