From 0b69378a03d6b232f1f3938dddb5e18876e2a24a Mon Sep 17 00:00:00 2001
From: Vinnie Falco <vinnie.falco@gmail.com>
Date: Mon, 7 Oct 2013 02:49:03 -0700
Subject: [PATCH] Update Json::Reader::decodeDouble

---
 src/ripple/json/impl/json_reader.cpp | 37 +++++++++++++++++-----------
 1 file changed, 22 insertions(+), 15 deletions(-)

diff --git a/src/ripple/json/impl/json_reader.cpp b/src/ripple/json/impl/json_reader.cpp
index a3731177f2..6836667343 100644
--- a/src/ripple/json/impl/json_reader.cpp
+++ b/src/ripple/json/impl/json_reader.cpp
@@ -710,34 +710,41 @@ Reader::decodeNumber ( Token& token )
     return true;
 }
 
-
 bool
-Reader::decodeDouble ( Token& token )
+Reader::decodeDouble( Token &token )
 {
     double value = 0;
     const int bufferSize = 32;
     int count;
-    int length = int (token.end_ - token.start_);
-
-    if ( length < bufferSize )
+    int length = int(token.end_ - token.start_);
+    // Sanity check to avoid buffer overflow exploits.
+    if (length < 0) {
+        return addError( "Unable to parse token length", token );
+    }
+    // Avoid using a string constant for the format control string given to
+    // sscanf, as this can cause hard to debug crashes on OS X. See here for more
+    // info:
+    //
+    // http://developer.apple.com/library/mac/#DOCUMENTATION/DeveloperTools/gcc-4.0.1/gcc/Incompatibilities.html
+    char format[] = "%lf";
+    if ( length <= bufferSize )
     {
-        Char buffer[bufferSize];
-        memcpy ( buffer, token.start_, length );
+        Char buffer[bufferSize+1];
+        memcpy( buffer, token.start_, length );
         buffer[length] = 0;
-        count = sscanf ( buffer, "%lf", &value );
+        count = sscanf( buffer, format, &value );
     }
     else
     {
-        std::string buffer ( token.start_, token.end_ );
-        count = sscanf ( buffer.c_str (), "%lf", &value );
+        std::string buffer( token.start_, token.end_ );
+        count = sscanf( buffer.c_str(), format, &value );
     }
-
     if ( count != 1 )
-        return addError ( "'" + std::string ( token.start_, token.end_ ) + "' is not a number.", token );
-
-    currentValue () = value;
+        return addError( "'" + std::string( token.start_, token.end_ ) + "' is not a number.", token );
+    currentValue() = value;
     return true;
-}
+} 
+
 
 
 bool