adds upper bound check

pflege-de · Sep 18, 2024 · b535649 · b535649
1 parent b5102bd
commit b535649
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/forcejson/decode.go b/forcejson/decode.go
@@ -12,6 +12,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"math"
 	"reflect"
 	"runtime"
 	"strconv"
@@ -58,7 +59,6 @@ import (
 // invalid UTF-16 surrogate pairs are not treated as an error.
 // Instead, they are replaced by the Unicode replacement
 // character U+FFFD.
-//
 func Unmarshal(data []byte, v interface{}) error {
 	// Check for well-formedness.
 	// Avoids filling out half a data structure
@@ -621,7 +621,7 @@ var numberType = reflect.TypeOf(Number(""))
 func (d *decodeState) literalStore(item []byte, v reflect.Value, fromQuoted bool) {
 	// Check for unmarshaler.
 	if len(item) == 0 {
-		//Empty string given
+		// Empty string given
 		d.saveError(fmt.Errorf("force: invalid use of ,string struct tag, trying to unmarshal %q into %v", item, v.Type()))
 		return
 	}
@@ -925,7 +925,7 @@ func getu4(s []byte) rune {
 		return -1
 	}
 	r, err := strconv.ParseUint(string(s[2:6]), 16, 64)
-	if err != nil {
+	if err != nil || r > math.MaxInt32 {
 		return -1
 	}
 	return rune(r)