View Issue Details

IDProjectCategoryView StatusLast Update
0037840FPCFCLpublic2020-09-29 17:35
ReporterBenito van der Zander Assigned ToMichael Van Canneyt  
PrioritynormalSeverityminorReproducibilityhave not tried
Status resolvedResolutionfixed 
Platformamd64OSlinux 
Product Version3.3.1 
Fixed in Version3.3.1 
Summary0037840: json scanner should not allow invalid numbers
DescriptionJSON does not allow numbers starting with '0' or '.', or have no digits after '.' or 'e'+-

With this patch it raises an exception on these numbers. For invalid leading chars only if joStrict is set, for invalid exponents always
TagsNo tags attached.
Fixed in Revision47005
FPCOldBugId
FPCTarget3.2.2
Attached Files

Activities

Benito van der Zander

2020-09-29 16:58

reporter  

numbers.patch (3,076 bytes)   
Index: packages/fcl-json/src/jsonscanner.pp
===================================================================
--- packages/fcl-json/src/jsonscanner.pp        (Revision 47001)
+++ packages/fcl-json/src/jsonscanner.pp        (Arbeitskopie)
@@ -396,37 +395,54 @@
     '0'..'9','.','-':
       begin
         TokenStart := FTokenStr;
+        if FTokenStr^ = '-' then inc(FTokenStr);
+        case FTokenStr^ of
+          '1'..'9': Inc(FTokenStr);
+          '0': begin
+            Inc(FTokenStr);
+            if (joStrict in Options) and (FTokenStr^ in ['0'..'9']) then
+              Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
+          end;
+          '.': if joStrict in Options then
+                 Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
+          else
+            Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
+        end;
         while true do
         begin
-          Inc(FTokenStr);
           case FTokenStr^ of
+            '0'..'9': inc(FTokenStr);
             '.':
               begin
-                if FTokenStr[1] in ['0'..'9', 'e', 'E'] then
-                begin
-                  Inc(FTokenStr);
-                  repeat
+                case FTokenStr[1] of
+                  '0'..'9': Inc(FTokenStr, 2);
+                  'e', 'E': begin
+                    if joStrict in Options then
+                      Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
                     Inc(FTokenStr);
-                  until not (FTokenStr^ in ['0'..'9', 'e', 'E','-','+']);
+                  end;
+                  else Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
                 end;
-                break;
-              end;
-            '0'..'9': ;
-            'e', 'E':
-              begin
-                Inc(FTokenStr);
-                if FTokenStr^ in ['-','+']  then
-                  Inc(FTokenStr);
                 while FTokenStr^ in ['0'..'9'] do
-                  Inc(FTokenStr);
+                  inc(FTokenStr);
                 break;
               end;
           else
-            if {(FTokenStr<>FEOL) and }not (FTokenStr^ in [#13,#10,#0,'}',']',',',#9,' ']) then
-               Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
             break;
           end;
         end;
+        if FTokenStr^ in ['e', 'E'] then begin
+          Inc(FTokenStr);
+          if FTokenStr^ in ['-','+']  then
+            Inc(FTokenStr);
+          if not (FTokenStr^ in ['0'..'9']) then
+            Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
+          repeat
+            Inc(FTokenStr);
+          until not (FTokenStr^ in ['0'..'9']);
+        end;
+        if {(FTokenStr<>FEOL) and }not (FTokenStr^ in [#13,#10,#0,'}',']',',',#9,' ']) then
+          Error(SErrInvalidCharacter, [CurRow,CurColumn,FTokenStr[0]]);
         SectionLength := FTokenStr - TokenStart;
         FCurTokenString:='';
         SetString(FCurTokenString, TokenStart, SectionLength);
benito@hostname:~/opt/fpc-trunk$ 
numbers.patch (3,076 bytes)   

Michael Van Canneyt

2020-09-29 17:35

administrator   ~0125962

Fixed, thanks for the patch

Issue History

Date Modified Username Field Change
2020-09-29 16:58 Benito van der Zander New Issue
2020-09-29 16:58 Benito van der Zander File Added: numbers.patch
2020-09-29 17:03 Michael Van Canneyt Assigned To => Michael Van Canneyt
2020-09-29 17:03 Michael Van Canneyt Status new => assigned
2020-09-29 17:35 Michael Van Canneyt Status assigned => resolved
2020-09-29 17:35 Michael Van Canneyt Resolution open => fixed
2020-09-29 17:35 Michael Van Canneyt Fixed in Version => 3.3.1
2020-09-29 17:35 Michael Van Canneyt Fixed in Revision => 47005
2020-09-29 17:35 Michael Van Canneyt FPCTarget => 3.2.2
2020-09-29 17:35 Michael Van Canneyt Note Added: 0125962