commit 625f0c1eb75da08229843fa393b1ee4e6547d285
author Bram Moolenaar <Bram@vim.org> Tue Mar 13 13:10:41 2018 +0100
committer Bram Moolenaar <Bram@vim.org> Tue Mar 13 13:10:41 2018 +0100
tree e1a293c1b2b6779bb236af65f5797583c4393a7b
parent ff1e8795772a0175017c4c4f74ce33614ea8e73a

patch 8.0.1602: crash in parsing JSON

Problem:    Crash in parsing JSON.
Solution:   Fail when using array or dict as dict key. (Damien)

src/json.c

diff --git a/src/json.c b/src/json.c
index 6f914ea..e1f40bf 100644
--- a/src/json.c
+++ b/src/json.c
@@ -621,7 +621,9 @@
 	if (top_item != NULL && top_item->jd_type == JSON_OBJECT_KEY
 		&& (options & JSON_JS)
 		&& reader->js_buf[reader->js_used] != '"'
-		&& reader->js_buf[reader->js_used] != '\'')
+		&& reader->js_buf[reader->js_used] != '\''
+		&& reader->js_buf[reader->js_used] != '['
+		&& reader->js_buf[reader->js_used] != '{')
 	{
 	    char_u *key;
 
@@ -642,6 +644,11 @@
 	    switch (*p)
 	    {
 		case '[': /* start of array */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
@@ -668,6 +675,11 @@
 		    continue;
 
 		case '{': /* start of object */
+		    if (top_item && top_item->jd_type == JSON_OBJECT_KEY)
+		    {
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;