Fix crash in JSON parser

Author: jart

.gitignore

@@ -1,5 +1,6 @@
 /*.o
 /*.a
+/fuzz
 /*.ok
 /*.elf
 /*.dbg

Makefile

@@ -7,6 +7,9 @@ clean:
 
 json.o: json.cpp json.h
 
+fuzz.o: fuzz.cpp json.h
+fuzz: fuzz.o json.o double-conversion.a
+
 json_test.o: json_test.cpp json.h
 json_test: json_test.o json.o double-conversion.a
 

fuzz.cpp

@@ -0,0 +1,36 @@
+// -*- mode:c++;indent-tabs-mode:nil;c-basic-offset:4;coding:utf-8 -*-
+// vi: set et ft=cpp ts=4 sts=4 sw=4 fenc=utf-8 :vi
+//
+// Copyright 2024 Mozilla Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "json.h"
+
+#include <cstdio>
+#include <string>
+
+int
+main(int argc, char* argv[])
+{
+    int c;
+    std::string s;
+    while ((c = fgetc(stdin)) != EOF)
+        s += c;
+    std::pair<Json::Status, Json> result = Json::parse(s);
+    if (result.first != Json::success) {
+        puts(Json::StatusToString(result.first));
+        return 1;
+    }
+    puts(result.second.toStringPretty().c_str());
+}

fuzzies/t1

@@ -0,0 +1 @@
+[1, 2, 3]

fuzzies/t2

@@ -0,0 +1 @@
+{"a": "b"}

fuzzies/t3

@@ -0,0 +1,6 @@
+[
+null,
+1,
+3.14,
+{"a": "b"}
+]

json.cpp

@@ -951,6 +951,8 @@ Json::parse(Json& json, const char*& p, const char* e, int context, int depth)
                         return success;
                     if (status != success)
                         return status;
+                    if (!key.isString())
+                        return object_key_must_be_string;
                     status = parse(value, p, e, COLON, depth - 1);
                     if (status == absent_value)
                         return object_missing_value;

json_test.cpp

@@ -406,13 +406,68 @@ json_test_suite()
     }
 }
 
+void
+afl_regression()
+{
+    Json::parse("[{\"\":1,3:14,]\n");
+    Json::parse("[\n"
+                "\n"
+                "3E14,\n"
+                "{\"!\":4,733:4,[\n"
+                "\n"
+                "3EL%,3E14,\n"
+                "{][1][1,,]");
+    Json::parse("[\n"
+                "null,\n"
+                "1,\n"
+                "3.14,\n"
+                "{\"a\": \"b\",\n"
+                "3:14,ull}\n"
+                "]");
+    Json::parse("[\n"
+                "\n"
+                "3E14,\n"
+                "{\"a!!!!!!!!!!!!!!!!!!\":4, \n"
+                "\n"
+                "3:1,,\n"
+                "3[\n"
+                "\n"
+                "]");
+    Json::parse("[\n"
+                "\n"
+                "3E14,\n"
+                "{\"a!!:!!!!!!!!!!!!!!!\":4, \n"
+                "\n"
+                "3E1:4, \n"
+                "\n"
+                "3E1,,\n"
+                ",,\n"
+                "3[\n"
+                "\n"
+                "]");
+    Json::parse("[\n"
+                "\n"
+                "3E14,\n"
+                "{\"!\":4,733:4,[\n"
+                "\n"
+                "3E1%,][1,,]");
+    Json::parse("[\n"
+                "\n"
+                "3E14,\n"
+                "{\"!\":4,733:4,[\n"
+                "\n"
+                "3EL%,3E14,\n"
+                "{][1][1,,]");
+}
+
 int
 main()
 {
     object_test();
     deep_test();
     parse_test();
     round_trip_test();
+    afl_regression();
 
     BENCH(2000, 1, object_test());
     BENCH(2000, 1, deep_test());