126 lines
101 KiB
Diff
126 lines
101 KiB
Diff
|
From 64ce0ad3731ebd77e02897b07920eadd0e2cc318 Mon Sep 17 00:00:00 2001
|
||
|
From: Dmitry Janushkevich <gauri@tut.by>
|
||
|
Date: Mon, 2 May 2016 13:59:26 +0200
|
||
|
Subject: [PATCH] Fix for issue #282
|
||
|
|
||
|
The fix limits recursion depths when parsing arrays and objects.
|
||
|
The limit is configurable via the `JSON_PARSER_MAX_DEPTH` setting
|
||
|
within `jansson_config.h` and is set by default to 2048.
|
||
|
|
||
|
Update the RFC conformance document to note the limit; the RFC
|
||
|
allows limits to be set by the implementation so nothing has
|
||
|
actually changed w.r.t. conformance state.
|
||
|
|
||
|
Reported by Gustavo Grieco.
|
||
|
---
|
||
|
android/jansson_config.h | 4 ++++
|
||
|
cmake/jansson_config.h.cmake | 4 ++++
|
||
|
doc/conformance.rst | 10 ++++++++++
|
||
|
src/jansson_config.h.in | 4 ++++
|
||
|
src/load.c | 10 ++++++++++
|
||
|
test/suites/invalid/recursion-depth/error | 2 ++
|
||
|
test/suites/invalid/recursion-depth/input | 1 +
|
||
|
7 files changed, 35 insertions(+)
|
||
|
create mode 100644 test/suites/invalid/recursion-depth/error
|
||
|
create mode 100644 test/suites/invalid/recursion-depth/input
|
||
|
|
||
|
--- a/android/jansson_config.h
|
||
|
+++ b/android/jansson_config.h
|
||
|
@@ -36,4 +36,8 @@
|
||
|
otherwise to 0. */
|
||
|
#define JSON_HAVE_LOCALECONV 0
|
||
|
|
||
|
+/* Maximum recursion depth for parsing JSON input.
|
||
|
+ This limits the depth of e.g. array-within-array constructions. */
|
||
|
+#define JSON_PARSER_MAX_DEPTH 2048
|
||
|
+
|
||
|
#endif
|
||
|
--- a/cmake/jansson_config.h.cmake
|
||
|
+++ b/cmake/jansson_config.h.cmake
|
||
|
@@ -60,5 +60,9 @@
|
||
|
#define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
|
||
|
|
||
|
|
||
|
+/* Maximum recursion depth for parsing JSON input.
|
||
|
+ This limits the depth of e.g. array-within-array constructions. */
|
||
|
+#define JSON_PARSER_MAX_DEPTH 2048
|
||
|
+
|
||
|
|
||
|
#endif
|
||
|
--- a/doc/conformance.rst
|
||
|
+++ b/doc/conformance.rst
|
||
|
@@ -108,3 +108,13 @@
|
||
|
are implicitly handled via the ordinary C type coercion rules (subject
|
||
|
to overflow semantics). Also, no support or hooks are provided for any
|
||
|
supplemental "bignum" type add-on packages.
|
||
|
+
|
||
|
+Depth of nested values
|
||
|
+----------------------
|
||
|
+
|
||
|
+To avoid stack exhaustion, Jansson currently limits the nesting depth
|
||
|
+for arrays and objects to a certain value (default: 2048), defined as
|
||
|
+a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
|
||
|
+
|
||
|
+The limit is allowed to be set by the RFC; there is no recommended value
|
||
|
+or required minimum depth to be supported.
|
||
|
--- a/src/jansson_config.h.in
|
||
|
+++ b/src/jansson_config.h.in
|
||
|
@@ -36,4 +36,8 @@
|
||
|
otherwise to 0. */
|
||
|
#define JSON_HAVE_LOCALECONV @json_have_localeconv@
|
||
|
|
||
|
+/* Maximum recursion depth for parsing JSON input.
|
||
|
+ This limits the depth of e.g. array-within-array constructions. */
|
||
|
+#define JSON_PARSER_MAX_DEPTH 2048
|
||
|
+
|
||
|
#endif
|
||
|
--- a/src/load.c
|
||
|
+++ b/src/load.c
|
||
|
@@ -61,6 +61,7 @@
|
||
|
typedef struct {
|
||
|
stream_t stream;
|
||
|
strbuffer_t saved_text;
|
||
|
+ size_t depth;
|
||
|
int token;
|
||
|
union {
|
||
|
struct {
|
||
|
@@ -800,6 +801,12 @@
|
||
|
json_t *json;
|
||
|
double value;
|
||
|
|
||
|
+ lex->depth++;
|
||
|
+ if(lex->depth > JSON_PARSER_MAX_DEPTH) {
|
||
|
+ error_set(error, lex, "maximum parsing depth reached");
|
||
|
+ return NULL;
|
||
|
+ }
|
||
|
+
|
||
|
switch(lex->token) {
|
||
|
case TOKEN_STRING: {
|
||
|
const char *value = lex->value.string.val;
|
||
|
@@ -870,6 +877,7 @@
|
||
|
if(!json)
|
||
|
return NULL;
|
||
|
|
||
|
+ lex->depth--;
|
||
|
return json;
|
||
|
}
|
||
|
|
||
|
@@ -877,6 +885,8 @@
|
||
|
{
|
||
|
json_t *result;
|
||
|
|
||
|
+ lex->depth = 0;
|
||
|
+
|
||
|
lex_scan(lex, error);
|
||
|
if(!(flags & JSON_DECODE_ANY)) {
|
||
|
if(lex->token != '[' && lex->token != '{') {
|
||
|
--- /dev/null
|
||
|
+++ b/test/suites/invalid/recursion-depth/error
|
||
|
@@ -0,0 +1,2 @@
|
||
|
+1 2049 2049
|
||
|
+maximum parsing depth reached near '['
|
||
|
--- /dev/null
|
||
|
+++ b/test/suites/invalid/recursion-depth/input
|
||
|
@@ -0,0 +1 @@
|
||
|

|