From 2bab3a4b0cc549c1f77febf3eacc695f463168ea Mon Sep 17 00:00:00 2001
From: Charlie Tonneslan <cst0520@gmail.com>
Date: Fri, 20 Mar 2026 18:34:47 -0400
Subject: [PATCH] fix: off-by-one in decode_pointer_inplace for ~1 escape

decode_pointer_inplace writes the decoded '/' for '~1' to
decoded_string[1] instead of decoded_string[0], corrupting
JSON Pointer paths that contain forward slashes. The '~0'
case correctly writes to decoded_string[0].

Fixes #977
---
 cJSON_Utils.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cJSON_Utils.c b/cJSON_Utils.c
index 8fa24f8e..3b642fa1 100644
--- a/cJSON_Utils.c
+++ b/cJSON_Utils.c
@@ -374,7 +374,7 @@ static void decode_pointer_inplace(unsigned char *string)
             }
             else if (string[1] == '1')
             {
-                decoded_string[1] = '/';
+                decoded_string[0] = '/';
             }
             else
             {