From 7b59e26dd7b301b79490821a4bcf7fd4a59fd4e4 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Thu, 17 Jan 2019 12:39:45 +1030
Subject: [PATCH] jsmn: upgrade so JSMN_OBJECT's size parameter is usable.

jsmn would accept invalid JSON objects.  This is bad because it would
set ->size incorrectly: we expect to have at least size * 2 tokens (in
pairs).  We want to rely on ->size, but this would create an exploitable
buffer overflow!

Fortunately, this is fixed upstream, so we add a test and upgrade to v1.0.0.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 common/test/run-json.c | 5 +++++
 external/jsmn          | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/common/test/run-json.c b/common/test/run-json.c
index e37b81e42..e44e64c9a 100644
--- a/common/test/run-json.c
+++ b/common/test/run-json.c
@@ -74,6 +74,11 @@ static void test_json_tok_size(void)
 	assert(toks[0].size == 2);
 	assert(toks[2].size == 2);
 	assert(toks[6].size == 2);
+
+	/* This should *not* parse! (used to give toks[0]->size == 2!) */
+	buf = "{ 'satoshi', '546' }";
+	toks = json_parse_input(tmpctx, buf, strlen(buf), &ok);
+	assert(!ok);
 }
 
 static void test_json_delve(void)
diff --git a/external/jsmn b/external/jsmn
index 6784c826d..18e9fe42c 160000
--- a/external/jsmn
+++ b/external/jsmn
@@ -1 +1 @@
-Subproject commit 6784c826d9674915a4d89649c6288e6aecb4110d
+Subproject commit 18e9fe42cbfe21d65076f5c77ae2be379ad1270f