rapidjson 遇到的吭
document.h
以下代码是非常危险的.
1 Member* FindMember(const Ch* name) { 2 RAPIDJSON_ASSERT(name); 3 RAPIDJSON_ASSERT(IsObject()); 4 5 Object& o = data_.o; 6 for (Member* member = o.members; member != data_.o.members + data_.o.size; ++member) 7 if (name[member->name.data_.s.length] == '\0' && memcmp(member->name.data_.s.str, name, member->name.data_.s.length * sizeof(Ch)) == 0) 8 return member; 9 10 return 0; 11 }
假定传入的name是 "11"
而json的每一个成员关键字的长度都大于 11
那么在这里 name[member->name.data_.s.length]就相当于访问越界.
![]()
浙公网安备 33010602011771号