Array-bounds read problems when a bad string is passed to the parser.
For example, an input string that is NOT NUL-terminated, and has a partial string-value with a trailing single backslash.
const char *Input = "\"x\":\"va\";
Specify input length as 8 characters. The code will attempt to reference Input in jsmn.c at around line 120 where it tried to look at the characters after the backslash. Similarly, if there is an incomplete \uXXXX sequence, without trailing NUL, there will be a buffer overflow there.