patch 8.0.1602: crash in parsing JSONv8.0.1602

Problem: Crash in parsing JSON. Solution: Fail when using array or dict as dict key. (Damien)
author: Bram Moolenaar <Bram@vim.org> 2018-03-13 13:10:41 +0100
committer: Bram Moolenaar <Bram@vim.org> 2018-03-13 13:10:41 +0100
commit: 625f0c1eb75da08229843fa393b1ee4e6547d285 (patch)
tree: e1a293c1b2b6779bb236af65f5797583c4393a7b /src/json.c
parent: ff1e8795772a0175017c4c4f74ce33614ea8e73a (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/src/json.c b/src/json.c
index 6f914ea03d..e1f40bf652 100644
--- a/src/json.c
+++ b/src/json.c
@@ -621,7 +621,9 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 	if (top_item != NULL && top_item->jd_type == JSON_OBJECT_KEY
 		&& (options & JSON_JS)
 		&& reader->js_buf[reader->js_used] != '"'
-		&& reader->js_buf[reader->js_used] != '\'')
+		&& reader->js_buf[reader->js_used] != '\''
+		&& reader->js_buf[reader->js_used] != '['
+		&& reader->js_buf[reader->js_used] != '{')
 	{
 	    char_u *key;
 
@@ -642,6 +644,11 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 	    switch (*p)
 	    {
 		case '[': /* start of array */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
@@ -668,6 +675,11 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 		    continue;
 
 		case '{': /* start of object */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
author	Bram Moolenaar <Bram@vim.org>	2018-03-13 13:10:41 +0100
committer	Bram Moolenaar <Bram@vim.org>	2018-03-13 13:10:41 +0100
commit	625f0c1eb75da08229843fa393b1ee4e6547d285 (patch)
tree	e1a293c1b2b6779bb236af65f5797583c4393a7b /src/json.c
parent	ff1e8795772a0175017c4c4f74ce33614ea8e73a (diff)