[skjson] Catch end-of-stream for unbalanced scopes

The input is not guaranteed to contain well-formed scopes, so it's not
sufficient to check for end-of-stream only when popping the top-level
scope -- we have to check on every scope pop.

Bug: oss-fuzz:8898
Change-Id: I7399a8872187ec6714672cac2ff8fc7fbf3c2dfe
Reviewed-on: https://skia-review.googlesource.com/135059
Reviewed-by: Kevin Lubick <kjlubick@google.com>
Reviewed-by: Mike Klein <mtklein@google.com>
Commit-Queue: Florin Malita <fmalita@chromium.org>

2 files changed, 5 insertions, 0 deletions

diff --git a/modules/skjson/src/SkJSON.cpp b/modules/skjson/src/SkJSON.cpp
index 7f082d7294..d423715947 100644
--- a/modules/skjson/src/SkJSON.cpp
+++ b/modules/skjson/src/SkJSON.cpp
@@ -355,6 +355,10 @@ public:
                 : this->error(NullValue(), p + 1, "trailing root garbage");
         }
 
+        if (p == p_stop) {
+            return this->error(NullValue(), p, "unexpected end-of-input");
+        }
+
         ++p;
 
         goto match_post_value;
diff --git a/modules/skjson/src/SkJSONTest.cpp b/modules/skjson/src/SkJSONTest.cpp
index 91ae497cf0..1aaa278fb8 100644
--- a/modules/skjson/src/SkJSONTest.cpp
+++ b/modules/skjson/src/SkJSONTest.cpp
@@ -49,6 +49,7 @@ DEF_TEST(SkJSON_Parse, reporter) {
         { "[ \"foo"       , nullptr },
         { "[ \"fo\0o\" ]" , nullptr },
 
+        { "{\"\":{}"                  , nullptr },
         { "{ null }"                  , nullptr },
         { "{ \"k\" : }"               , nullptr },
         { "{ : null }"                , nullptr },