panic: runtime error: slice bounds out of range
toptotu opened this issue · comments
payload:
func main() {
testJson := [
s, _ := jsonparser.GetString([]byte(testJson), testJson)
fmt.Println(s)
}
panic: runtime error: slice bounds out of range [1:0]
goroutine 1 [running]:
github.com/buger/jsonparser.searchKeys(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0xc00003a000)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:311 +0xfdb
github.com/buger/jsonparser.internalGet(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0xc0000d7d38, 0x65e120, 0x56afb0, 0xc0000d7dc0, ...)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:891 +0x3a6
github.com/buger/jsonparser.Get(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0xc0000d7e87, 0x0, 0xc0000d7e14, 0xc0000d7e87, ...)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:885 +0x90
github.com/buger/jsonparser.GetString(0x2c050000, 0x1, 0x1, 0xc0000d7e78, 0x1, 0x1, 0x9, 0x9, 0x0, 0x0)
D:/Go/golibsrc/src/github.com/buger/jsonparser/parser.go:1122 +0x9e
@AllenX2018 Any new progress on repairing this issue ?
FYI, this was assigned CVE-2020-35381.
A fix seems to be:
diff --git a/parser.go b/parser.go
index 5caeace..dab4574 100644
--- a/parser.go
+++ b/parser.go
@@ -307,7 +307,7 @@ func searchKeys(data []byte, keys ...string) int {
}
case '[':
// If we want to get array element by index
- if keyLevel == level && keys[level][0] == '[' {
+ if keyLevel == level && keys[level][0] == '[' && len(keys[level]) > 1 {
aIdx, err := strconv.Atoi(keys[level][1 : len(keys[level])-1])
if err != nil {
return -1
@d-hat can you submit a PR pls?
Thanks!
Modified slightly to return an error instead of continue trying to index. Please correct any errors or poor style on my part, my golang expertise is approximately nil
Amy chance this can get fixed soonish? Thanks.
Should be fixed now!
Will there also be a new release incorporating this? Thanks!
Just did v1.1.1 release 🚀
Thanks!