Binary reader for BJData creates incorrect SAX events #3503
Description
The BJData reader seem to open an object with fixed size of 3 which is never closed, yielding a problem in the SAX parser. I fuzzed this branch (together with the assertions from #3498) and got the following failing input: crash2.bjdata.zip
This generates the following SAX events:
<array>
<array>
<object>
<key key="��" />
<array>
<number_integer val="27739" />
<boolean val="true" />
<object size="3"> <!-- open an object with size 3 -->
<key key="_ArraySize_" />
<array size="2">
<number_integer val="6689" />
<number_integer val="0" />
</array> <!-- the first object entry -->
<array size="0"> <!-- ERROR: a value without key -->
</array>
<boolean val="true" /> <!-- ERROR: a value without key -->
<boolean val="true" /> <!-- ERROR: a value without key -->
<boolean val="true" /> <!-- ERROR: a value without key -->
<boolean val="true" /> <!-- ERROR: a value without key -->
</array> <!-- ERROR: closing array (not object) -->
<key key="" />
<number_unsigned val="30069" />
<parse_error id="71" token="<end of file>" />Again, for line
if (JSON_HEDLEY_UNLIKELY(!sax->start_object(3) || !sax->key(key) || !sax->start_array(dim.size())))we need to check
- Why is the size
3hard-coded? - Where to add the required
sax->end_object()call?
Originally posted by @nlohmann in #3502 (comment)