Fix decode_pointer_inplace ~1 escape and minify_string escape handling

qwertystars · Copilot · qwertystars · commit 716a6c2a985b · 2026-03-14T15:39:57.000Z
Two bugs fixed:

1. cJSON_Utils.c decode_pointer_inplace(): The ~1 JSON Pointer escape
   (RFC 6901 §3) was writing to decoded_string[1] instead of
   decoded_string[0], causing incorrect decoding. Additionally,
   non-escape characters after escape sequences were not being copied
   when the decoded output pointer fell behind the input pointer.
   This caused JSON Patch operations with ~1 in paths to silently
   fail or operate on wrong keys.

2. cJSON.c minify_string(): The escape handling only checked for \"
   (escaped quote) but not \\ (escaped backslash) or other escapes.
   A string ending with \\ caused the closing quote to be
   misidentified as an escaped quote, making the function read past
   the string boundary and absorb subsequent JSON tokens into the
   string value.

Both fixes are minimal and include bounds checking. All 19 existing
tests pass with these changes.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/cJSON.c b/cJSON.c
@@ -2913,7 +2913,7 @@ static void minify_string(char **input, char **output) {
             *input += static_strlen("\"");
             *output += static_strlen("\"");
             return;
-        } else if (((*input)[0] == '\\') && ((*input)[1] == '\"')) {
+        } else if (((*input)[0] == '\\') && ((*input)[1] != '\0')) {
             (*output)[1] = (*input)[1];
             *input += static_strlen("\"");
             *output += static_strlen("\"");
diff --git a/cJSON_Utils.c b/cJSON_Utils.c
@@ -374,7 +374,7 @@ static void decode_pointer_inplace(unsigned char *string)
             }
             else if (string[1] == '1')
             {
-                decoded_string[1] = '/';
+                decoded_string[0] = '/';
             }
             else
             {
@@ -384,6 +384,10 @@ static void decode_pointer_inplace(unsigned char *string)
 
             string++;
         }
+        else
+        {
+            decoded_string[0] = string[0];
+        }
     }
 
     decoded_string[0] = '\0';

Original file line number	Diff line number	Diff line change
`@@ -374,7 +374,7 @@ static void decode_pointer_inplace(unsigned char *string)`
`374`	`374`	`}`
`375`	`375`	`else if (string[1] == '1')`
`376`	`376`	`{`
`377`		`- decoded_string[1] = '/';`
	`377`	`+ decoded_string[0] = '/';`
`378`	`378`	`}`
`379`	`379`	`else`
`380`	`380`	`{`
`@@ -384,6 +384,10 @@ static void decode_pointer_inplace(unsigned char *string)`
`384`	`384`
`385`	`385`	`string++;`
`386`	`386`	`}`
	`387`	`+ else`
	`388`	`+ {`
	`389`	`+ decoded_string[0] = string[0];`
	`390`	`+ }`
`387`	`391`	`}`
`388`	`392`
`389`	`393`	`decoded_string[0] = '\0';`