Merge pull request #284 from dev-zzo/issue-282

Don't crash on deeply nested values by limiting parser recursion depth
This commit is contained in:
Petri Lehtinen 2016-05-03 13:07:46 +03:00
commit 013c3892c3
7 changed files with 35 additions and 0 deletions

View File

@ -36,4 +36,8 @@
otherwise to 0. */
#define JSON_HAVE_LOCALECONV 0
/* Maximum recursion depth for parsing JSON input.
This limits the depth of e.g. array-within-array constructions. */
#define JSON_PARSER_MAX_DEPTH 2048
#endif

View File

@ -60,5 +60,9 @@
#define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
/* Maximum recursion depth for parsing JSON input.
This limits the depth of e.g. array-within-array constructions. */
#define JSON_PARSER_MAX_DEPTH 2048
#endif

View File

@ -108,3 +108,13 @@ types, ``long double``, etc. Obviously, shorter types like ``short``,
are implicitly handled via the ordinary C type coercion rules (subject
to overflow semantics). Also, no support or hooks are provided for any
supplemental "bignum" type add-on packages.
Depth of nested values
----------------------
To avoid stack exhaustion, Jansson currently limits the nesting depth
for arrays and objects to a certain value (default: 2048), defined as
a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
The limit is allowed to be set by the RFC; there is no recommended value
or required minimum depth to be supported.

View File

@ -36,4 +36,8 @@
otherwise to 0. */
#define JSON_HAVE_LOCALECONV @json_have_localeconv@
/* Maximum recursion depth for parsing JSON input.
This limits the depth of e.g. array-within-array constructions. */
#define JSON_PARSER_MAX_DEPTH 2048
#endif

View File

@ -62,6 +62,7 @@ typedef struct {
stream_t stream;
strbuffer_t saved_text;
size_t flags;
size_t depth;
int token;
union {
struct {
@ -803,6 +804,12 @@ static json_t *parse_value(lex_t *lex, size_t flags, json_error_t *error)
{
json_t *json;
lex->depth++;
if(lex->depth > JSON_PARSER_MAX_DEPTH) {
error_set(error, lex, "maximum parsing depth reached");
return NULL;
}
switch(lex->token) {
case TOKEN_STRING: {
const char *value = lex->value.string.val;
@ -865,6 +872,7 @@ static json_t *parse_value(lex_t *lex, size_t flags, json_error_t *error)
if(!json)
return NULL;
lex->depth--;
return json;
}
@ -872,6 +880,8 @@ static json_t *parse_json(lex_t *lex, size_t flags, json_error_t *error)
{
json_t *result;
lex->depth = 0;
lex_scan(lex, error);
if(!(flags & JSON_DECODE_ANY)) {
if(lex->token != '[' && lex->token != '{') {

View File

@ -0,0 +1,2 @@
1 2049 2049
maximum parsing depth reached near '['

File diff suppressed because one or more lines are too long