fix buffer overruns in JsonWriter::put with UTF-8 values

Change-Id: I694585a1a540bfefc0e59bd58d8033a96ca35acb
Signed-off-by: Michael Meeks <michael.meeks@collabora.com>
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/123003

1 files changed, 8 insertions, 3 deletions

diff --git a/tools/source/misc/json_writer.cxx b/tools/source/misc/json_writer.cxx
index c326201eb9e5..0bcbbddc606d 100644
--- a/tools/source/misc/json_writer.cxx
+++ b/tools/source/misc/json_writer.cxx
@@ -200,7 +200,10 @@ void JsonWriter::writeEscapedOUString(const OUString& rPropVal)
 void JsonWriter::put(const char* pPropName, const OUString& rPropVal)
 {
     auto nPropNameLength = strlen(pPropName);
-    auto nWorstCasePropValLength = rPropVal.getLength() * 2;
+    // But values can be any UTF-8,
+    // see rtl_ImplGetFastUTF8ByteLen in sal/rtl/string.cxx for why a factor 3
+    // is the worst case
+    auto nWorstCasePropValLength = rPropVal.getLength() * 3;
     ensureSpace(nPropNameLength + nWorstCasePropValLength + 8);
 
     addCommaBeforeField();
@@ -220,8 +223,10 @@ void JsonWriter::put(const char* pPropName, const OUString& rPropVal)
 
 void JsonWriter::put(const char* pPropName, const OString& rPropVal)
 {
+    // we assume property names are ascii
     auto nPropNameLength = strlen(pPropName);
-    auto nWorstCasePropValLength = rPropVal.getLength();
+    // escaping can double the length
+    auto nWorstCasePropValLength = rPropVal.getLength() * 2;
     ensureSpace(nPropNameLength + nWorstCasePropValLength + 8);
 
     addCommaBeforeField();
@@ -372,7 +377,7 @@ void JsonWriter::put(const char* pPropName, bool nPropVal)
 
 void JsonWriter::putSimpleValue(const OUString& rPropVal)
 {
-    auto nWorstCasePropValLength = rPropVal.getLength() * 2;
+    auto nWorstCasePropValLength = rPropVal.getLength() * 3;
     ensureSpace(nWorstCasePropValLength + 4);
 
     addCommaBeforeField();