From 6011a2f51a1c28d78a1bd5578cfff405819fd47f Mon Sep 17 00:00:00 2001
From: Benoit Blanchon <github@benoitblanchon.fr>
Date: Sat, 20 Apr 2019 15:12:29 +0200
Subject: [PATCH] Fixed `deserializeJson()` not being picky enough (fixes #969)

---
 CHANGELOG.md                            | 1 +
 src/ArduinoJson/Numbers/parseNumber.hpp | 3 +++
 test/JsonDeserializer/invalid_input.cpp | 4 ++--
 test/Numbers/parseNumber.cpp            | 6 ++++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 70a6e35c..e70dbd7a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@ HEAD
 ----
 
 * Fixed error "attributes are not allowed on a function-definition"
+* Fixed `deserializeJson()` not being picky enough (issue #969)
 
 v6.10.0 (2019-03-22)
 -------
diff --git a/src/ArduinoJson/Numbers/parseNumber.hpp b/src/ArduinoJson/Numbers/parseNumber.hpp
index 35fb3468..6db0d1bd 100644
--- a/src/ArduinoJson/Numbers/parseNumber.hpp
+++ b/src/ArduinoJson/Numbers/parseNumber.hpp
@@ -140,6 +140,9 @@ inline ParsedNumber<TFloat, TUInt> parseNumber(const char *s) {
   }
   exponent += exponent_offset;
 
+  // we should be at the end of the string, otherwise it's an error
+  if (*s != '\0') return return_type();
+
   TFloat result = traits::make_float(static_cast<TFloat>(mantissa), exponent);
 
   return is_negative ? -result : result;
diff --git a/test/JsonDeserializer/invalid_input.cpp b/test/JsonDeserializer/invalid_input.cpp
index 487fc6f8..ad1fac80 100644
--- a/test/JsonDeserializer/invalid_input.cpp
+++ b/test/JsonDeserializer/invalid_input.cpp
@@ -7,8 +7,8 @@
 #include <catch.hpp>
 
 TEST_CASE("Invalid JSON input") {
-  const char* testCases[] = {"'\\u'",     "'\\u000g'", "'\\u000'",
-                             "'\\u000G'", "'\\u000/'", "\\x1234"};
+  const char* testCases[] = {"'\\u'",     "'\\u000g'", "'\\u000'", "'\\u000G'",
+                             "'\\u000/'", "\\x1234",   "6a9"};
   const size_t testCount = sizeof(testCases) / sizeof(testCases[0]);
 
   DynamicJsonDocument doc(4096);
diff --git a/test/Numbers/parseNumber.cpp b/test/Numbers/parseNumber.cpp
index 19638fed..320aed73 100644
--- a/test/Numbers/parseNumber.cpp
+++ b/test/Numbers/parseNumber.cpp
@@ -16,3 +16,9 @@ TEST_CASE("Test uint32_t overflow") {
   REQUIRE(first.type() == uint8_t(VALUE_IS_POSITIVE_INTEGER));
   REQUIRE(second.type() == uint8_t(VALUE_IS_FLOAT));
 }
+
+TEST_CASE("Invalid value") {
+  ParsedNumber<float, uint32_t> result = parseNumber<float, uint32_t>("6a3");
+
+  REQUIRE(result.type() == uint8_t(VALUE_IS_NULL));
+}