From 625f0c1eb75da08229843fa393b1ee4e6547d285 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Tue, 13 Mar 2018 13:10:41 +0100
Subject: patch 8.0.1602: crash in parsing JSON

Problem:    Crash in parsing JSON.
Solution:   Fail when using array or dict as dict key. (Damien)
---
 src/json.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'src/json.c')

diff --git a/src/json.c b/src/json.c
index 6f914ea03d..e1f40bf652 100644
--- a/src/json.c
+++ b/src/json.c
@@ -621,7 +621,9 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 	if (top_item != NULL && top_item->jd_type == JSON_OBJECT_KEY
 		&& (options & JSON_JS)
 		&& reader->js_buf[reader->js_used] != '"'
-		&& reader->js_buf[reader->js_used] != '\'')
+		&& reader->js_buf[reader->js_used] != '\''
+		&& reader->js_buf[reader->js_used] != '['
+		&& reader->js_buf[reader->js_used] != '{')
 	{
 	    char_u *key;
 
@@ -642,6 +644,11 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 	    switch (*p)
 	    {
 		case '[': /* start of array */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
@@ -668,6 +675,11 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 		    continue;
 
 		case '{': /* start of object */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
-- 
cgit v1.2.3