Skip to content

fix: off-by-one in decode_pointer_inplace for ~1 escape sequence#998

Open
ctonneslan wants to merge 1 commit intoDaveGamble:masterfrom
ctonneslan:fix/decode-pointer-off-by-one
Open

fix: off-by-one in decode_pointer_inplace for ~1 escape sequence#998
ctonneslan wants to merge 1 commit intoDaveGamble:masterfrom
ctonneslan:fix/decode-pointer-off-by-one

Conversation

@ctonneslan
Copy link

@ctonneslan ctonneslan commented Mar 20, 2026

Summary

Fixes an off-by-one bug in decode_pointer_inplace() where the ~1 escape sequence writes the decoded / to the wrong position, corrupting JSON Pointer paths during patch application.

Bug

// ~0 case: correct — writes to current output position
decoded_string[0] = '~';

// ~1 case: BUG — writes to next position instead of current
decoded_string[1] = '/';  // should be decoded_string[0]

This causes JSON Pointer paths containing ~1 (encoded /) to be decoded incorrectly. For example, a patch targeting "a/b" (encoded as "a~1b") would corrupt the key to "a~/" instead of "a/b".

Fix

- decoded_string[1] = '/';
+ decoded_string[0] = '/';

Consistent with the ~0 case on line 373.

Fixes #977

@ctonneslan
fix: off-by-one in decode_pointer_inplace for ~1 escape
2bab3a4 
decode_pointer_inplace writes the decoded '/' for '~1' to
decoded_string[1] instead of decoded_string[0], corrupting
JSON Pointer paths that contain forward slashes. The '~0'
case correctly writes to decoded_string[0].

Fixes DaveGamble#977
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[cJSON_Utils] decode_pointer_inplace off-by-one causes incorrect decoding of "~1" (JSON Pointer)

1 participant

@ctonneslan