Fix crash of cJSON_GetObjectItemCaseSensitive when calling it on arrays

FSMaxB · FSMaxB · commit be749d7efa7c · 2018-12-16T11:06:40.000+01:00
diff --git a/cJSON.c b/cJSON.c
@@ -1781,7 +1781,7 @@ static cJSON *get_object_item(const cJSON * const object, const char * const nam
     current_element = object->child;
     if (case_sensitive)
     {
-        while ((current_element != NULL) && (strcmp(name, current_element->string) != 0))
+        while ((current_element != NULL) && (current_element->string != NULL) && (strcmp(name, current_element->string) != 0))
         {
             current_element = current_element->next;
         }
@@ -1794,6 +1794,10 @@ static cJSON *get_object_item(const cJSON * const object, const char * const nam
         }
     }
 
+    if ((current_element == NULL) || (current_element->string == NULL)) {
+        return NULL;
+    }
+
     return current_element;
 }
 
diff --git a/tests/misc_tests.c b/tests/misc_tests.c
@@ -127,6 +127,28 @@ static void cjson_get_object_item_case_sensitive_should_get_object_items(void)
     cJSON_Delete(item);
 }
 
+static void cjson_get_object_item_should_not_crash_with_array(void) {
+    cJSON *array = NULL;
+    cJSON *found = NULL;
+    array = cJSON_Parse("[1]");
+
+    found = cJSON_GetObjectItem(array, "name");
+    TEST_ASSERT_NULL(found);
+
+    cJSON_Delete(array);
+}
+
+static void cjson_get_object_item_case_sensitive_should_not_crash_with_array(void) {
+    cJSON *array = NULL;
+    cJSON *found = NULL;
+    array = cJSON_Parse("[1]");
+
+    found = cJSON_GetObjectItemCaseSensitive(array, "name");
+    TEST_ASSERT_NULL(found);
+
+    cJSON_Delete(array);
+}
+
 static void typecheck_functions_should_check_type(void)
 {
     cJSON invalid[1];
@@ -535,6 +557,8 @@ int CJSON_CDECL main(void)
     RUN_TEST(cjson_array_foreach_should_not_dereference_null_pointer);
     RUN_TEST(cjson_get_object_item_should_get_object_items);
     RUN_TEST(cjson_get_object_item_case_sensitive_should_get_object_items);
+    RUN_TEST(cjson_get_object_item_should_not_crash_with_array);
+    RUN_TEST(cjson_get_object_item_case_sensitive_should_not_crash_with_array);
     RUN_TEST(typecheck_functions_should_check_type);
     RUN_TEST(cjson_should_not_parse_to_deeply_nested_jsons);
     RUN_TEST(cjson_set_number_value_should_set_numbers);

Original file line number	Diff line number	Diff line change
`@@ -1781,7 +1781,7 @@ static cJSON get_object_item(const cJSON const object, const char * const nam`
`1781`	`1781`	`current_element = object->child;`
`1782`	`1782`	`if (case_sensitive)`
`1783`	`1783`	`{`
`1784`		`- while ((current_element != NULL) && (strcmp(name, current_element->string) != 0))`
	`1784`	`+ while ((current_element != NULL) && (current_element->string != NULL) && (strcmp(name, current_element->string) != 0))`
`1785`	`1785`	`{`
`1786`	`1786`	`current_element = current_element->next;`
`1787`	`1787`	`}`
`@@ -1794,6 +1794,10 @@ static cJSON get_object_item(const cJSON const object, const char * const nam`
`1794`	`1794`	`}`
`1795`	`1795`	`}`
`1796`	`1796`
	`1797`	`+ if ((current_element == NULL) \|\| (current_element->string == NULL)) {`
	`1798`	`+ return NULL;`
	`1799`	`+ }`
	`1800`	`+`
`1797`	`1801`	`return current_element;`
`1798`	`1802`	`}`
`1799`	`1803`