Fix ledmap parser reading past end of map array

[evanc]

Summary

WS2812FX::deserializeMap() (wled00/FX_fcn.cpp:2160-2178) reads the map array one comma-delimited token at a time, breaking out only when customMappingSize >= getLengthTotal(). When getLengthTotal() exceeds the actual map[] entry count (e.g. a trailing PWM/OnOff bus placed after a 2D matrix), and the JSON has "map" before "width"/"height", the loop continues past the array's closing ] and reads the next JSON key. atoi("\"width\":23") returns 0, which gets stored at customMappingTable[matrixSize]. The trailing strip's segment writes are then silently rerouted to physical pixel 0.

The existing if (!foundDigit) break handles the case where ] appears alone in a chunk. This adds the symmetric case for when ] follows the last valid digit in the same chunk — store the entry, then exit.

How it works

customMappingTable[customMappingSize++] = index;
if (end != nullptr) break;  // ← new line
if (customMappingSize >= getLengthTotal()) break;

end is already computed earlier as strchr(number, ']'). If non-null, the chunk we just processed contained the array terminator, so there are no more entries to read regardless of what getLengthTotal() is.

Reproduction (pre-fix)

• ESP32-C3, WLED 16.0.0 (parser code is identical on main and 16_x)
• Digital strip on one pin: 55 LEDs at start=0
• PWM White (TYPE_ANALOG_1CH) on a separate pin at start=529 (post-matrix trailing strip)
• ledmap.json defining a 23×23 matrix with the WLED-MM key order: {"map":[...],"width":23,"height":23}
• A 1D segment at [529, 530)

Writes to segment 1 are routed to physical pixel 0 of the digital bus instead of the PWM bus. Pin 9 receives no PWM updates.

Why JSON key order matters

Commit 336e074 ("fix for 0byte size files, also made reading ledmaps more efficient", Nov 2025) changed WLED's UI to generate "width"/"height" before "map". That implicitly dodges this bug because when the parser reads past the array, it hits the closing } — strchr finds ]-or-nothing patterns it already handles via the no-digit-found path. The original PR framed the change as a load-time optimization; it also turns out to be a quiet workaround. WLED-MM and pre-336e074b ledmaps still trigger the bug.

Testing

• Compiled clean on esp32c3dev and esp32dev (pio run -e esp32c3dev, pio run -e esp32dev).
• npm test passes.
• Tested on actual hardware (ESP32-C3 / Seeed Xiao, SK6812 RGBW matrix + PWM White via MOSFET):
  • With current main, broken-order ledmap, trailing PWM bus → PWM dead, matrix pixel 0 driven by segment 1. ✗
  • With this patch, same ledmap, same buses → PWM driven by segment 1, matrix pixel 0 untouched. ✓
• No behavior change for ledmaps where "width"/"height" come first (the strchr(']')-with-no-digit path still handles them).

Risk

One line added, scoped to the trailing-strip + map-first JSON ordering case. The new break only fires on chunks that already contained the array terminator, so well-formed JSON with width/height first is unaffected.

Summary by CodeRabbit

• Bug Fixes
  • Fixed LED map parsing to correctly stop at the end of the mapping array, preventing misinterpretation of trailing JSON data.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a01e00d3-24bf-4db6-814e-6b66091c5dbd

📥 Commits

Reviewing files that changed from the base of the PR and between 3a46f44 and e6dbee6.

📒 Files selected for processing (1)

• wled00/FX_fcn.cpp

---

Walkthrough

In WS2812FX::deserializeMap(), a single break statement is added to the JSON chunk-read loop. When the current chunk contains the closing ] of the "map" array (indicated by end != nullptr), the loop exits immediately, preventing any trailing JSON content from being processed as additional map entries.

Changes

LED-map JSON parsing fix

Layer / File(s)	Summary
Break on map array close wled00/FX_fcn.cpp	Exits the chunk-read loop immediately when the closing ] of the "map" array is detected (end != nullptr), stopping trailing JSON content from being interpreted as map entries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• wled/WLED#5073: Also modifies wled00/FX_fcn.cpp around LED-map JSON parsing, adjusting bounds/size checks and debug handling in the same deserializeMap path.

Suggested reviewers

• willmmiles
• blazoncek

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Fix ledmap parser reading past end of map array' clearly and specifically describes the main bug fix: preventing the parser from reading beyond the JSON array terminator.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[softhack007]

While the explanation ("why JSON key order matterrs") is full of wrong factual claims, the fix may still be reasonable.

There is actually no relation to leading width/height fields (old MM format). Line 2159 f.find("\"map\":[") makes sure that array reading always starts at the right position, so any tags before that won't matter. Also the statement that the UI writes a ledmap.json file is wrong. But it might be possible that a short ledmap is read one element past the end of the list - i'll double-check this.

Silently re-routing to pixel 0 is possibly related to how the ledmap array gets initialized - a customMappingsTable entry that's not present in the ledmap.json file would retain the previous value - initially 0.

This will get solved with another PR

• use same approach for ledmap as is done in gap file #5242

[softhack007]

@coderabbitai please verify if the problem described by the user is actually caused by reading past the end of array in ledmap.json. you can assume that the input is a sized-optimized JSON file without additional whitespace.

The source code to check starts here

WLED/wled00/FX_fcn.cpp

Line 2154 in 3a46f44

customMappingTable = static_cast<uint16_t*>(d_malloc(sizeof(uint16_t)*getLengthTotal())); // prefer DRAM for speed

Make sure you ignore the explanations provided in the PR description, as the explanations provided in the PR description are full of wrong assumptions.

Also check if #5242 alone would fix the problem.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the deserializeMap parsing section from FX_fcn.cpp
sed -n '2140,2250p' wled00/FX_fcn.cpp

Length of output: 4107

---

🏁 Script executed:

#!/bin/bash
# Get PR `#5242` details and diff
gh pr view 5242 --repo wled/WLED --json title,body,state,files
gh pr diff 5242 --repo wled/WLED 2>/dev/null | head -200

Length of output: 1853

---

---

@softhack007 Here is the analysis, ignoring the PR description's explanations entirely.

---

Bug verification: does the overread actually happen?

Yes, it is real. Here's the precise mechanism for a compact (no-whitespace) JSON like {"map":[0,1,...,15],"width":4,"height":4} where getLengthTotal() = 17 (16-LED matrix + 1 trailing bus):

The loop uses f.readBytesUntil(',', number, sizeof(number)-1). For the last array element there is no trailing comma before ], so readBytesUntil reads 15] into number.

number = "15]"
end = strchr(number, ']')  →  non-null (points at ']')
foundDigit initially = false (because end != nullptr)
do-while: number[0]='1' → digit found, foundDigit = true, break
→ if (!foundDigit) break  NOT taken
→ atoi("15]") = 15  (atoi stops at non-digit ']')
→ customMappingTable[16-1] = 15, customMappingSize = 16

Without the if (end != nullptr) break fix, the loop continues:

• customMappingSize(16) >= getLengthTotal()(17) → false → no break
• Next readBytesUntil(',') reads "width":4 (the next comma-delimited token after the ])
• end = strchr("\"width\":4", ']') → null → foundDigit = true initially
• atoi("\"width\":4") → 0 (string starts with ", a non-digit)
• customMappingTable[16] = 0 ← the bug: trailing bus pixel silently routed to pixel 0
• customMappingSize(17) >= getLengthTotal()(17) → true → break

The if (!foundDigit) break guard only catches the case where ] appears alone in a chunk (e.g., when there is a space before ]). It does not help when ] is attached to a digit like 15].

---

Does PR #5242 alone fix this?

No. PR #5242 pre-initialises the table before the file parser runs:

unsigned matrixSize = Segment::maxWidth * Segment::maxHeight;
for (unsigned i = 0; i < matrixSize; i++)       customMappingTable[i] = 0xFFFFU; // matrix empty
for (unsigned i = matrixSize; i < getLengthTotal(); i++) customMappingTable[i] = i; // trailing identity

So customMappingTable[16] starts as 16 (identity). But the file-based streaming parser then runs and still overwrites customMappingTable[16] with 0 due to the overread. The correct identity init from #5242 is silently stomped by the buggy loop.

The two PRs fix orthogonal issues:

• #5242 fixes the initialisation of unwritten trailing entries (and of matrix holes, 0xFFFF).
• #5693 fixes the overread that corrupts those trailing entries during parsing.

Both fixes are needed for a complete solution.

[DedeHai]

its a valid fix, definitely a bug but also only shows on "sloppy" incomplete ledmaps.
Also saving the ledmap in the editor will fix it (I think this is what is meant by "the UI saves the ledmap") as the editor parses a ledmap and puts the width and height in front.
A ledmap must contain all entries, if entries are skipped, there is no guarantee it will map correctly: this was discussed in length and I think there is a pending (but unifinshed?) PR to the docs stating this.