spa: json: allow only ascii in bare values

Control characters probably are an error. We also are not validating any
utf8 here, so disallow bare utf8 too --- one likely should use strings
for such content anyway as spaces are not allowed otherwise.

spa/include/spa/utils/json.h

@@ -137,12 +137,16 @@ static inline int spa_json_next(struct spa_json * iter, const char **value)
 				/* disallow bare escape */
 				goto error;
 			default:
+				/* allow bare ascii */
+				if (!(cur >= 32 && cur <= 126))
+					goto error;
 				*value = iter->cur;
 				iter->state = __BARE | flag;
 			}
 			continue;
 		case __BARE:
 			switch (cur) {
+			case '\0':
 			case '\t': case ' ': case '\r': case '\n':
 			case '"': case '#':
 			case ':': case ',': case '=': case ']': case '}':
@@ -153,8 +157,12 @@ static inline int spa_json_next(struct spa_json * iter, const char **value)
 			case '\\':
 				/* disallow bare escape */
 				goto error;
+			default:
+				/* allow bare ascii */
+				if (cur >= 32 && cur <= 126)
+					continue;
 			}
-			continue;
+			goto error;
 		case __STRING:
 			switch (cur) {
 			case '\\':

test/test-spa-json.c

@@ -506,6 +506,19 @@ PWTEST(json_parse_fail)
 	spa_json_init(&it[0], json, strlen(json));
 	expect_parse_error(&it[0], json, 1, 3);
 
+	/* bad bare */
+	json = "\x01x";
+	spa_json_init(&it[0], json, strlen(json));
+	expect_parse_error(&it[0], json, 1, 1);
+
+	json = "x\x01";
+	spa_json_init(&it[0], json, strlen(json));
+	expect_parse_error(&it[0], json, 1, 2);
+
+	json = "\xc3\xa4";
+	spa_json_init(&it[0], json, strlen(json));
+	expect_parse_error(&it[0], json, 1, 1);
+
 	return PWTEST_PASS;
 }
 
@@ -890,6 +903,7 @@ PWTEST(json_data)
 		"n_structure_null-byte-outside-string.json",
 		"n_structure_object_with_trailing_garbage.json",
 		"n_structure_trailing_#.json",
+		"n_multidigit_number_then_00.json",
 
 		/* SPA JSON accepts more number formats */
 		"n_number_-01.json",