From 6ea543e6c731db30b0807f531a445a66c66619b9 Mon Sep 17 00:00:00 2001
From: m-holger <m-holger@kubitscheck.org>
Date: Tue, 24 Jan 2023 13:04:31 +0000
Subject: [PATCH] In JSONParser add lex_state ls_number_e_sign

---
 libqpdf/JSON.cc                       | 17 ++++++++++++++---
 libtests/qtest/json_parse.test        |  2 ++
 libtests/qtest/json_parse/bad-43.json |  1 +
 libtests/qtest/json_parse/bad-43.out  |  1 +
 libtests/qtest/json_parse/bad-44.json |  1 +
 libtests/qtest/json_parse/bad-44.out  |  1 +
 6 files changed, 20 insertions(+), 3 deletions(-)
 create mode 100644 libtests/qtest/json_parse/bad-43.json
 create mode 100644 libtests/qtest/json_parse/bad-43.out
 create mode 100644 libtests/qtest/json_parse/bad-44.json
 create mode 100644 libtests/qtest/json_parse/bad-44.out

diff --git a/libqpdf/JSON.cc b/libqpdf/JSON.cc
index d6baf584..8e55b08c 100644
--- a/libqpdf/JSON.cc
+++ b/libqpdf/JSON.cc
@@ -653,6 +653,7 @@ namespace
             ls_number_point,
             ls_number_after_point,
             ls_number_e,
+            ls_number_e_sign,
             ls_alpha,
             ls_string,
             ls_backslash,
@@ -988,6 +989,14 @@ JSONParser::getToken()
                 ++number_after_e;
                 lex_state = ls_number;
             } else if ((*p == '+') || (*p == '-')) {
+                lex_state = ls_number_e_sign;
+            } else {
+                numberError();
+            }
+            break;
+
+        case ls_number_e_sign:
+            if ((*p >= '0') && (*p <= '9')) {
                 lex_state = ls_number;
             } else {
                 numberError();
@@ -1120,13 +1129,14 @@ JSONParser::getToken()
                 throw std::logic_error("tok_start set in ls_top while parsing");
                 break;
 
+            case ls_number:
+            case ls_number_minus:
+            case ls_number_leading_zero:
             case ls_number_before_point:
             case ls_number_point:
             case ls_number_after_point:
             case ls_number_e:
-            case ls_number:
-            case ls_number_minus:
-            case ls_number_leading_zero:
+            case ls_number_e_sign:
             case ls_alpha:
                 // okay
                 break;
@@ -1206,6 +1216,7 @@ JSONParser::handleToken()
     case ls_number_point:
     case ls_number_after_point:
     case ls_number_e:
+    case ls_number_e_sign:
         if (number_saw_point && (number_after_point == 0)) {
             // QTC::TC("libtests", "JSON parse decimal with no digits");
             throw std::runtime_error(
diff --git a/libtests/qtest/json_parse.test b/libtests/qtest/json_parse.test
index 7c64e3bd..d38d70de 100644
--- a/libtests/qtest/json_parse.test
+++ b/libtests/qtest/json_parse.test
@@ -123,6 +123,8 @@ my @bad = (
     "duplicate dictionary key", # 40
     "decimal point after minus",# 41
     "e after minus",            # 42
+    "missing digit after e",    # 43
+    "missing digit after e+/-", # 44
     );
 
 my $i = 0;
diff --git a/libtests/qtest/json_parse/bad-43.json b/libtests/qtest/json_parse/bad-43.json
new file mode 100644
index 00000000..896a676a
--- /dev/null
+++ b/libtests/qtest/json_parse/bad-43.json
@@ -0,0 +1 @@
+123e
diff --git a/libtests/qtest/json_parse/bad-43.out b/libtests/qtest/json_parse/bad-43.out
new file mode 100644
index 00000000..84070aa9
--- /dev/null
+++ b/libtests/qtest/json_parse/bad-43.out
@@ -0,0 +1 @@
+exception: bad-43.json: JSON: offset 4: numeric literal: incomplete number
diff --git a/libtests/qtest/json_parse/bad-44.json b/libtests/qtest/json_parse/bad-44.json
new file mode 100644
index 00000000..3a5d7dff
--- /dev/null
+++ b/libtests/qtest/json_parse/bad-44.json
@@ -0,0 +1 @@
+123e+
diff --git a/libtests/qtest/json_parse/bad-44.out b/libtests/qtest/json_parse/bad-44.out
new file mode 100644
index 00000000..f72120c4
--- /dev/null
+++ b/libtests/qtest/json_parse/bad-44.out
@@ -0,0 +1 @@
+exception: bad-44.json: JSON: offset 5: numeric literal: incomplete number