From 8f163fe09de4afa9f38bba25a57156ffbf14d12c Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Wed, 25 Jun 2014 11:39:25 -0700
Subject: [PATCH] json: Fix parsing of strings that end with a backslash.

json_string_unescape() flagged a backslash at the end of a string as an
error, but of course "\\" is a valid string.  This fixes the problem.

VMware-BZ: #1275208
Reported-by: Michael Hu <mhu@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
---
 lib/json.c    | 14 +++++++++-----
 tests/json.at |  7 +++++++
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/lib/json.c b/lib/json.c
index 58b248a06..167c40ce7 100644
--- a/lib/json.c
+++ b/lib/json.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2010, 2011, 2012 Nicira, Inc.
+ * Copyright (c) 2009, 2010, 2011, 2012, 2014 Nicira, Inc.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -812,10 +812,6 @@ json_string_unescape(const char *in, size_t in_len, char **outp)
 
     ds_init(&out);
     ds_reserve(&out, in_len);
-    if (in_len > 0 && in[in_len - 1] == '\\') {
-        ds_put_cstr(&out, "quoted string may not end with backslash");
-        goto exit;
-    }
     while (in < end) {
         if (*in == '"') {
             ds_clear(&out);
@@ -828,6 +824,14 @@ json_string_unescape(const char *in, size_t in_len, char **outp)
         }
 
         in++;
+        if (in >= end) {
+            /* The JSON parser will never trigger this message, because its
+             * lexer will never pass in a string that ends in a single
+             * backslash, but json_string_unescape() has other callers that
+             * are not as careful.*/
+            ds_put_cstr(&out, "quoted string may not end with backslash");
+            goto exit;
+        }
         switch (*in++) {
         case '"': case '\\': case '/':
             ds_put_char(&out, in[-1]);
diff --git a/tests/json.at b/tests/json.at
index 86ae5fad9..8846ac953 100644
--- a/tests/json.at
+++ b/tests/json.at
@@ -120,6 +120,13 @@ JSON_CHECK_NEGATIVE([surrogatess must paired properly],
 JSON_CHECK_NEGATIVE([null bytes not allowed], 
                     [[["\u0000"]]], 
                     [error: null bytes not supported in quoted strings])
+dnl Check for regression against a prior bug.
+JSON_CHECK_POSITIVE([properly quoted backslash at end of string],
+  [[["\\"]]],
+  [[["\\"]]])
+JSON_CHECK_NEGATIVE([stray backslash at end of string],
+  [[["abcd\"]]],
+  [error: unexpected end of input in quoted string])
 
 AT_SETUP([end of input in quoted string - C])
 AT_KEYWORDS([json negative])
-- 
2.20.1