Fix: OOM vulnerability cause by is_valid_index

An OOM vulnerability exists in the json_pointer_set function (and related functions). See issue #916 for more details. To fix that, added a sanity check in the is_valid_index function to limit the maximum value of a parsed array index. Provided a configurable macro for modification. Signed-off-by: lone <lonechan314@qq.com>
2026-03-24 23:49:06 +08:00 · 2026-01-25 23:54:27 +08:00
parent d05ea4851f
commit 3d86402028
2 changed files with 18 additions and 0 deletions
--- a/json_pointer.c
+++ b/json_pointer.c
@@ -79,6 +79,16 @@ static int is_valid_index(const char *path, size_t *idx)
 	// but ULLONG_MAX will be longer than any array length so that's ok.
 	*idx = strtoull(path, NULL, 10);

+	// Check against a maximum to prevent excessive memory allocations.
+	// An extremely large index, even if it doesn't overflow size_t,
+	// will cause a huge memory allocation request via realloc,
+	// leading to an OOM.
+	if (*idx > JSON_C_POINTER_MAX_ARRAY_IDX)
+	{
+    	errno = EINVAL;
+    	return 0;
+	}
+
 	return 1;
 }

--- a/json_pointer.h
+++ b/json_pointer.h
@@ -20,6 +20,14 @@
 extern "C" {
 #endif

+/**
+ * Maximum array index for JSON Pointer, preventing excessive memory allocations.
+ * The default value is 10,000,000.
+ */
+#ifndef JSON_C_POINTER_MAX_ARRAY_IDX
+#define JSON_C_POINTER_MAX_ARRAY_IDX 10000000
+#endif
+
 /**
 * Retrieves a JSON sub-object from inside another JSON object
 * using the JSON pointer notation as defined in RFC 6901