diff options
| author | Alfredo Cardigliano <cardigliano@ntop.org> | 2025-03-27 14:48:16 +0100 |
|---|---|---|
| committer | Alfredo Cardigliano <cardigliano@ntop.org> | 2025-03-27 14:48:16 +0100 |
| commit | 37a0613b14b36debefc988edcc02011c89149236 (patch) | |
| tree | 2996f2e47dba52a6d65e7c2d37a981891b04439d | |
| parent | 484f93d64e3ca562f1010e3956af86538c9c9274 (diff) | |
Add safety checks
| -rw-r--r-- | src/lib/ndpi_serializer.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/lib/ndpi_serializer.c b/src/lib/ndpi_serializer.c index 670925d82..1510d470d 100644 --- a/src/lib/ndpi_serializer.c +++ b/src/lib/ndpi_serializer.c @@ -99,8 +99,8 @@ int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst_max if (c < 0x20 /* ' ' */ || c == 0x7F) { ; // Non-printable ASCII character (skip) - } else if (c < 0x7F) { - /* Valid ASCII character (escape if required) */ + } else if (c >= 0x20 && c <= 0x7E) { + // Valid ASCII character (escape if required by JSON) switch (c) { case '\\': case '"': @@ -132,19 +132,19 @@ int ndpi_json_string_escape(const char *src, int src_len, char *dst, int dst_max dst[j++] = c; } - } else if ((c >= 0xC2 && c <= 0xDF) && + } else if ((c >= 0xC2 && c <= 0xDF) && (src_len - i) >= 2 && ((u_char) src[i+1] >= 0x80 && (u_char) src[i+1] <= 0xBF)) { // 2-byte sequence (U+0080 to U+07FF) dst[j++] = c; dst[j++] = src[++i]; - } else if ((c >= 0xE0 && c <= 0xEF) && + } else if ((c >= 0xE0 && c <= 0xEF) && (src_len - i) >= 3 && ((u_char) src[i+1] >= 0x80 && (u_char) src[i+1] <= 0xBF) && ((u_char) src[i+2] >= 0x80 && (u_char) src[i+2] <= 0xBF)) { // 3-byte sequence (U+0800 to U+FFFF) dst[j++] = c; dst[j++] = src[++i]; dst[j++] = src[++i]; - } else if ((c >= 0xF0 && c <= 0xF4) && + } else if ((c >= 0xF0 && c <= 0xF4) && (src_len - i) >= 4 && ((u_char) src[i+1] >= 0x80 && (u_char) src[i+1] <= 0xBF) && ((u_char) src[i+2] >= 0x80 && (u_char) src[i+2] <= 0xBF) && ((u_char) src[i+3] >= 0x80 && (u_char) src[i+3] <= 0xBF)) { |