From 5340cf3e5ec39ffe8b575e22eed36c235cf4c70a Mon Sep 17 00:00:00 2001 From: SummerSolsticeMuch Date: Fri, 3 Apr 2026 16:19:06 +0800 Subject: [PATCH] fix: add overflow check in decode_array_index_from_pointer() The function parses a decimal string into size_t with no overflow detection. A very large numeric string (e.g. "18446744073709551617") silently wraps around, potentially resolving to an unintended small array index. Add an overflow guard before the multiply-and-add so that indices exceeding SIZE_MAX are rejected instead of wrapping. --- cJSON_Utils.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/cJSON_Utils.c b/cJSON_Utils.c index 8fa24f8e..40edff60 100644 --- a/cJSON_Utils.c +++ b/cJSON_Utils.c @@ -284,8 +284,12 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++) { + if (parsed_index > (SIZE_MAX - 9) / 10) + { + /* overflow would occur */ + return 0; + } parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0'); - } if ((pointer[position] != '\0') && (pointer[position] != '/'))