From 41e2837df1b1091643aff073f2313f6ff3cc10f4 Mon Sep 17 00:00:00 2001
From: Max Bruckner <max@maxbruckner.de>
Date: Fri, 3 Feb 2017 16:34:50 +0100
Subject: [PATCH] Fix potentially undefined behavior when filling valueint

If the number is bigger or smaller than the biggest or smallest integer,
the behavior would be undefined.

This commit defines it as saturation behavior.
---
 cJSON.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/cJSON.c b/cJSON.c
index 559b967..b16853e 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -225,7 +225,19 @@ static const unsigned char *parse_number(cJSON *item, const unsigned char *num)
     n = sign * n * pow(10.0, (scale + subscale * signsubscale));
 
     item->valuedouble = n;
-    item->valueint = (int)n;
+    /* use saturation in case of overflow */
+    if (n >= INT_MAX)
+    {
+        item->valueint = INT_MAX;
+    }
+    else if (n <= INT_MIN)
+    {
+        item->valueint = INT_MIN;
+    }
+    else
+    {
+        item->valueint = (int)n;
+    }
     item->type = cJSON_Number;
 
     return num;
@@ -2021,7 +2033,20 @@ cJSON *cJSON_CreateNumber(double num)
     {
         item->type = cJSON_Number;
         item->valuedouble = num;
-        item->valueint = (int)num;
+
+        /* use saturation in case of overflow */
+        if (num >= INT_MAX)
+        {
+            item->valueint = INT_MAX;
+        }
+        else if (num <= INT_MIN)
+        {
+            item->valueint = INT_MIN;
+        }
+        else
+        {
+            item->valueint = (int)num;
+        }
     }
 
     return item;