fix: in lib/json in json.c

[orbisai0security]

Summary

Fix critical severity security issue in lib/json.c.

Vulnerability

Field	Value
ID	V-004
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-004
File	lib/json.c:279

Description: In lib/json.c at lines 279 and 354, size calculations of the form count * sizeof(struct ...) are used to determine both allocation sizes and memcpy lengths. If count is attacker-controlled (e.g., from a JSON array length field) and is set near SIZE_MAX / sizeof(struct json_value), the multiplication wraps to a small value. The allocator creates an undersized buffer based on the wrapped value, and the subsequent memcpy writes the full (large) number of bytes, overflowing the undersized buffer and corrupting heap memory.

Changes

• lib/json.c

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

---

Automated security fix by OrbisAI Security

---

Summary by cubic

Fixes a critical integer overflow in lib/json.c that could under-allocate buffers and corrupt heap memory when parsing large arrays or objects. We now validate element counts before allocation and memcpy.

• Bug Fixes
  • Added overflow guards in array and object parsing (count > SIZE_MAX / sizeof(...)).
  • Return JSON_ERR_OVERFLOW instead of allocating/copying when the count is unsafe.

^{Written for commit 837ee16. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

[jserv]

Close in favor of #11

[orbisai0security]

Thanks, that makes sense. I missed that the parser already bounds count via JSON_CONTAINER_MAX before these copies. The static_assert approach is cleaner since it documents and enforces the no-overflow invariant without adding unreachable runtime checks. Appreciate the attribution in #11.