From 312dea7ddba55312f356f6907d2c9b5093e0b123 Mon Sep 17 00:00:00 2001 From: "J. Nick Koston" Date: Wed, 8 Apr 2026 09:46:16 -1000 Subject: [PATCH] [json] Fix heap buffer overflow in SerializationBuffer truncation path (#15566) --- esphome/components/json/json_util.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/esphome/components/json/json_util.cpp b/esphome/components/json/json_util.cpp index 6c60a04d20..edcd23f922 100644 --- a/esphome/components/json/json_util.cpp +++ b/esphome/components/json/json_util.cpp @@ -140,8 +140,11 @@ SerializationBuffer<> JsonBuilder::serialize() { heap_size *= 2; } // Payload exceeds 5120 bytes - return truncated result - ESP_LOGW(TAG, "JSON payload too large, truncated to %zu bytes", size); - result.set_size_(size); + // heap_size was doubled after the last iteration, so the actual allocated + // buffer capacity is heap_size/2. Clamp to avoid writing past the buffer. + size_t max_content = heap_size / 2 - 1; + ESP_LOGW(TAG, "JSON payload too large, truncated to %zu bytes", max_content); + result.set_size_(max_content); return result; }