json: fix spdk_json_decode_array() bounds check

The spdk_json_decode_array() function previously tried to check whether
the array would fit into the provided number of output elements
(max_size) before decoding; however, the check was incorrectly comparing
the total number of nested JSON values in the array rather than just the
count of top-level array elements.

Rather than doing the check up front (which can't be done without
modifying the way array lengths are stored in spdk_json_value), just
check if we have reached the end of the 'out' array on each iteration of
the decoding loop.

Fixes GitHub issue #232.

Change-Id: I4d7ce4be022bdf5f726654d0d96277b9d63bd350
Signed-off-by: Daniel Verkamp <daniel.verkamp@intel.com>
Reviewed-on: https://review.gerrithub.io/397591
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Tested-by: SPDK Automated Test System <sys_sgsw@intel.com>
Reviewed-by: Dariusz Stojaczyk <dariuszx.stojaczyk@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
Reviewed-by: <shuhei.matsumoto.xt@hitachi.com>

lib/json/json_util.c

@@ -340,20 +340,22 @@ spdk_json_decode_array(const struct spdk_json_val *values, spdk_json_decode_fn d
 {
 	uint32_t i;
 	char *field;
+	char *out_end;
 
 	if (values == NULL || values->type != SPDK_JSON_VAL_ARRAY_BEGIN) {
 		return -1;
 	}
 
-	if (values->len > max_size) {
-		return -1;
-	}
-
 	*out_size = 0;
 	field = out;
+	out_end = field + max_size * stride;
 	for (i = 0; i < values->len;) {
 		const struct spdk_json_val *v = &values[i + 1];
 
+		if (field == out_end) {
+			return -1;
+		}
+
 		if (decode_func(v, field)) {
 			return -1;
 		}