lejp: improve bogus JSON underrun detection

https://github.com/warmcat/libwebsockets/issues/1357

lib/misc/lejp.c

@@ -250,7 +250,7 @@ lejp_parse(struct lejp_ctx *ctx, const unsigned char *json, int len)
 
 		case LEJP_MP_STRING:
 			if (c == '\"') {
-				if (!ctx->sp) {
+				if (!ctx->sp) { /* JSON can't end on quote */
 					ret = LEJP_REJECT_MP_STRING_UNDERRUN;
 					goto reject;
 				}
@@ -425,17 +425,23 @@ lejp_parse(struct lejp_ctx *ctx, const unsigned char *json, int len)
 
 			case ']':
 				/* pop */
+				if (!ctx->sp) { /* JSON can't end on ] */
+					ret = LEJP_REJECT_MP_C_OR_E_UNDERF;
+					goto reject;
+				}
 				ctx->sp--;
 				if (ctx->st[ctx->sp].s != LEJP_MP_ARRAY_END) {
 					ret = LEJP_REJECT_MP_C_OR_E_NOTARRAY;
 					goto reject;
 				}
 				/* drop the path [n] bit */
-				ctx->ppos = ctx->st[ctx->sp - 1].p;
-				ctx->ipos = ctx->st[ctx->sp - 1].i;
+				if (ctx->sp) {
+					ctx->ppos = ctx->st[ctx->sp - 1].p;
+					ctx->ipos = ctx->st[ctx->sp - 1].i;
+				}
 				ctx->path[ctx->ppos] = '\0';
 				if (ctx->path_match &&
-					       ctx->ppos <= ctx->path_match_len)
+				    ctx->ppos <= ctx->path_match_len)
 					/*
 					 * we shrank the path to be
 					 * smaller than the matching point
@@ -603,7 +609,7 @@ lejp_parse(struct lejp_ctx *ctx, const unsigned char *json, int len)
 				break;
 			}
 			if (c == ']') {
-				if (!ctx->sp) {
+				if (!ctx->sp) {  /* JSON can't end on ] */
 					ret = LEJP_REJECT_MP_C_OR_E_UNDERF;
 					goto reject;
 				}
@@ -631,7 +637,7 @@ lejp_parse(struct lejp_ctx *ctx, const unsigned char *json, int len)
 				goto redo_character;
 			}
 			if (c == '}') {
-				if (ctx->sp == 0) {
+				if (!ctx->sp) {
 					lejp_check_path_match(ctx);
 					if (ctx->callback(ctx, LEJPCB_OBJECT_END)) {
 						ret = LEJP_REJECT_CALLBACK;