Skip to content

Commit 34e4352

Browse files
michaelrsweetmichaelrsweet
committed
Calculate actual size of number values when exporting, and fix argument to _cupsStrFormatd (Issue #1546)
1 parent 4651f36 commit 34e4352

File tree

1 file changed

+19
-5
lines changed

1 file changed

+19
-5
lines changed

cups/json.c

Lines changed: 19 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
//
22
// JSON API implementation for CUPS.
33
//
4-
// Copyright © 2022-2025 by OpenPrinting.
4+
// Copyright © 2022-2026 by OpenPrinting.
55
//
66
// Licensed under Apache License v2.0. See the file "LICENSE" for more
77
// information.
@@ -232,7 +232,9 @@ cupsJSONExportString(cups_json_t *json) // I - JSON root node
232232
cups_json_t *current; // Current node
233233
size_t length; // Length of JSON data as a string
234234
char *s, // JSON string
235-
*ptr; // Pointer into string
235+
*ptr, // Pointer into string
236+
*end, // End of string
237+
temp[1024]; // Temporary string
236238
const char *value; // Pointer into string value
237239
struct lconv *loc; // Locale data
238240

@@ -250,6 +252,7 @@ cupsJSONExportString(cups_json_t *json) // I - JSON root node
250252
// Figure out the necessary space needed in the string
251253
current = json;
252254
length = 1; // nul
255+
loc = localeconv();
253256

254257
while (current)
255258
{
@@ -273,7 +276,8 @@ cupsJSONExportString(cups_json_t *json) // I - JSON root node
273276
break;
274277

275278
case CUPS_JTYPE_NUMBER :
276-
length += 32;
279+
_cupsStrFormatd(temp, temp + sizeof(temp) - 1, current->value.number, loc);
280+
length += strlen(temp);
277281
break;
278282

279283
case CUPS_JTYPE_KEY :
@@ -333,7 +337,7 @@ cupsJSONExportString(cups_json_t *json) // I - JSON root node
333337

334338
current = json;
335339
ptr = s;
336-
loc = localeconv();
340+
end = s + length - 1;
337341

338342
while (current)
339343
{
@@ -368,11 +372,14 @@ cupsJSONExportString(cups_json_t *json) // I - JSON root node
368372
break;
369373

370374
case CUPS_JTYPE_OBJECT :
375+
if (ptr >= end)
376+
goto overflow;
377+
371378
*ptr++ = '{';
372379
break;
373380

374381
case CUPS_JTYPE_NUMBER :
375-
_cupsStrFormatd(ptr, s + length, current->value.number, loc);
382+
_cupsStrFormatd(ptr, end, current->value.number, loc);
376383
ptr += strlen(ptr);
377384
break;
378385

@@ -477,6 +484,13 @@ cupsJSONExportString(cups_json_t *json) // I - JSON root node
477484
DEBUG_printf("3cupsJSONExportString: Returning \"%s\".", s);
478485

479486
return (s);
487+
488+
// If we get here we overflowed our string buffer for some reason...
489+
overflow:
490+
491+
free(s);
492+
493+
return (NULL);
480494
}
481495

482496

0 commit comments

Comments
 (0)