prevent ndarray dimension vector from recusive array, nlohmann/json#3500 by fangq · Pull Request #3502 · nlohmann/json
This fix does not address the issue I described: you seem to open an object with fixed size of 3 which is never closed, yielding a problem in the SAX parser. I fuzzed this branch (together with the assertions from #3498) and got the following failing input: crash2.bjdata.zip
This generates the following SAX events:
<array> <array> <object> <key key="��" /> <array> <number_integer val="27739" /> <boolean val="true" /> <object size="3"> <!-- open an object with size 3 --> <key key="_ArraySize_" /> <array size="2"> <number_integer val="6689" /> <number_integer val="0" /> </array> <!-- the first object entry --> <array size="0"> <!-- ERROR: a value without key --> </array> <boolean val="true" /> <!-- ERROR: a value without key --> <boolean val="true" /> <!-- ERROR: a value without key --> <boolean val="true" /> <!-- ERROR: a value without key --> <boolean val="true" /> <!-- ERROR: a value without key --> </array> <!-- ERROR: closing array (not object) --> <key key="" /> <number_unsigned val="30069" /> <parse_error id="71" token="<end of file>" />
Again, for line
if (JSON_HEDLEY_UNLIKELY(!sax->start_object(3) || !sax->key(key) || !sax->start_array(dim.size())))
please check
- Why is the size
3hard-coded? - Where to add the required
sax->end_object()call?