Merge commit 'refs/pullreqs/207' into bsdmake

robohack · robohack · commit 34ca04ef9065 · 2021-11-11T16:12:31.000-08:00
Closes lloyd/yajl#207
diff --git a/src/yajl_gen.c b/src/yajl_gen.c
@@ -254,9 +254,14 @@ yajl_gen_status
 yajl_gen_integer(yajl_gen g, long long int number)
 {
     char i[32];
+    int len;
+
     ENSURE_VALID_STATE; ENSURE_NOT_KEY; INSERT_SEP; INSERT_WHITESPACE;
-    sprintf(i, "%lld", number);
-    g->print(g->ctx, i, (size_t)strlen(i));
+    len = sprintf(i, "%lld", number);
+    if (len < 0) {                     /* highly unlikely, perhaps impossible */
+        return yajl_gen_invalid_number;
+    }
+    g->print(g->ctx, i, (size_t) len);
     APPENDED_ATOM;
     FINAL_NEWLINE;
     return yajl_gen_status_ok;
@@ -285,22 +290,28 @@ yajl_gen_status
 yajl_gen_double(yajl_gen g, double number)
 {
     char i[32];
+    int len;
+
     ENSURE_VALID_STATE; ENSURE_NOT_KEY;
     if (isnan(number) || isinf(number)) return yajl_gen_invalid_number;
     INSERT_SEP; INSERT_WHITESPACE;
-    sprintf(i, "%.*g", DBL_DIG, number); /* xxx in theory we could/should use
-                                          * DBL_DECIMAL_DIG for pure
-                                          * serialization, but what about to
-                                          * JSON readers that might not be using
-                                          * IEEE 754 binary64 for numbers? */
+    len = sprintf(i, "%.*g", DBL_DIG, number); /* xxx in theory we could/should
+                                                * use DBL_DECIMAL_DIG for pure
+                                                * serialization, but what about
+                                                * to JSON readers that might not
+                                                * be using IEEE 754 binary64 for
+                                                * numbers? */
+    if (len < 0) {                    /* highly unlikely, or even impossible? */
+        return yajl_gen_invalid_number;
+    }
     /*
-     * xxx perhaps this should be controlled by a runtime-configurable
-     * option?
+     * xxx perhaps forcing decimal notation should be controlled by a
+     * runtime-configurable option?
      */
     if (strspn(i, "0123456789-") == strlen(i)) {
         strcat(i, ".0");
     }
-    g->print(g->ctx, i, (size_t)strlen(i));
+    g->print(g->ctx, i, (size_t) len);
     APPENDED_ATOM;
     FINAL_NEWLINE;
     return yajl_gen_status_ok;
