From a1602f484bdb6d2ff25dd09ee08097d757d899d6 Mon Sep 17 00:00:00 2001
From: Max Bruckner <max@maxbruckner.de>
Date: Tue, 11 Apr 2017 18:07:19 +0200
Subject: [PATCH] cJSONUtils_ApplyPatches: Don't accept invalid array indices

---
 cJSON_Utils.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/cJSON_Utils.c b/cJSON_Utils.c
index c193ae5..bba3bf3 100644
--- a/cJSON_Utils.c
+++ b/cJSON_Utils.c
@@ -543,7 +543,25 @@ static int cJSONUtils_ApplyPatch(cJSON *object, cJSON *patch)
         }
         else
         {
-            if (!insert_item_in_array(parent, (size_t)atoi((char*)childptr), value))
+            char *end_pointer = NULL;
+            long int index = strtol((char*)childptr, &end_pointer, 10);
+            if ((unsigned char*)end_pointer == childptr)
+            {
+                /* failed to parse numeric array index */
+                free(parentptr);
+                cJSON_Delete(value);
+                return 11;
+            }
+
+            if ((index < 0) || (*end_pointer != '\0'))
+            {
+                /* array index is invalid */
+                free(parentptr);
+                cJSON_Delete(value);
+                return 12;
+            }
+
+            if (!insert_item_in_array(parent, (size_t)index, value))
             {
                 free(parentptr);
                 cJSON_Delete(value);