Merge pull request #284 from dev-zzo/issue-282
Don't crash on deeply nested values by limiting parser recursion depth
This commit is contained in:
commit
013c3892c3
@ -36,4 +36,8 @@
|
||||
otherwise to 0. */
|
||||
#define JSON_HAVE_LOCALECONV 0
|
||||
|
||||
/* Maximum recursion depth for parsing JSON input.
|
||||
This limits the depth of e.g. array-within-array constructions. */
|
||||
#define JSON_PARSER_MAX_DEPTH 2048
|
||||
|
||||
#endif
|
||||
|
@ -60,5 +60,9 @@
|
||||
#define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
|
||||
|
||||
|
||||
/* Maximum recursion depth for parsing JSON input.
|
||||
This limits the depth of e.g. array-within-array constructions. */
|
||||
#define JSON_PARSER_MAX_DEPTH 2048
|
||||
|
||||
|
||||
#endif
|
||||
|
@ -108,3 +108,13 @@ types, ``long double``, etc. Obviously, shorter types like ``short``,
|
||||
are implicitly handled via the ordinary C type coercion rules (subject
|
||||
to overflow semantics). Also, no support or hooks are provided for any
|
||||
supplemental "bignum" type add-on packages.
|
||||
|
||||
Depth of nested values
|
||||
----------------------
|
||||
|
||||
To avoid stack exhaustion, Jansson currently limits the nesting depth
|
||||
for arrays and objects to a certain value (default: 2048), defined as
|
||||
a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
|
||||
|
||||
The limit is allowed to be set by the RFC; there is no recommended value
|
||||
or required minimum depth to be supported.
|
||||
|
@ -36,4 +36,8 @@
|
||||
otherwise to 0. */
|
||||
#define JSON_HAVE_LOCALECONV @json_have_localeconv@
|
||||
|
||||
/* Maximum recursion depth for parsing JSON input.
|
||||
This limits the depth of e.g. array-within-array constructions. */
|
||||
#define JSON_PARSER_MAX_DEPTH 2048
|
||||
|
||||
#endif
|
||||
|
10
src/load.c
10
src/load.c
@ -62,6 +62,7 @@ typedef struct {
|
||||
stream_t stream;
|
||||
strbuffer_t saved_text;
|
||||
size_t flags;
|
||||
size_t depth;
|
||||
int token;
|
||||
union {
|
||||
struct {
|
||||
@ -803,6 +804,12 @@ static json_t *parse_value(lex_t *lex, size_t flags, json_error_t *error)
|
||||
{
|
||||
json_t *json;
|
||||
|
||||
lex->depth++;
|
||||
if(lex->depth > JSON_PARSER_MAX_DEPTH) {
|
||||
error_set(error, lex, "maximum parsing depth reached");
|
||||
return NULL;
|
||||
}
|
||||
|
||||
switch(lex->token) {
|
||||
case TOKEN_STRING: {
|
||||
const char *value = lex->value.string.val;
|
||||
@ -865,6 +872,7 @@ static json_t *parse_value(lex_t *lex, size_t flags, json_error_t *error)
|
||||
if(!json)
|
||||
return NULL;
|
||||
|
||||
lex->depth--;
|
||||
return json;
|
||||
}
|
||||
|
||||
@ -872,6 +880,8 @@ static json_t *parse_json(lex_t *lex, size_t flags, json_error_t *error)
|
||||
{
|
||||
json_t *result;
|
||||
|
||||
lex->depth = 0;
|
||||
|
||||
lex_scan(lex, error);
|
||||
if(!(flags & JSON_DECODE_ANY)) {
|
||||
if(lex->token != '[' && lex->token != '{') {
|
||||
|
2
test/suites/invalid/recursion-depth/error
Normal file
2
test/suites/invalid/recursion-depth/error
Normal file
@ -0,0 +1,2 @@
|
||||
1 2049 2049
|
||||
maximum parsing depth reached near '['
|
1
test/suites/invalid/recursion-depth/input
Normal file
1
test/suites/invalid/recursion-depth/input
Normal file
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user