mirror/json-c
1
0
Fork 0
mirror of https://github.com/json-c/json-c.git synced 2026-04-11 00:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix: OOM vulnerability cause by is_valid_index

Browse Source 
An OOM vulnerability exists in the json_pointer_set function (and related functions).
See issue #916 for more details.

To fix that, added a sanity check in the is_valid_index function to limit the maximum value of a parsed array index.
Provided a configurable macro for modification.

Signed-off-by: lone <lonechan314@qq.com>
This commit is contained in:
lone
2026-01-25 23:54:27 +08:00
parent d05ea4851f
commit 3d86402028
2 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
json_pointer.c
View File

@@ -79,6 +79,16 @@ static int is_valid_index(const char *path, size_t *idx)
// but ULLONG_MAX will be longer than any array length so that's ok. // but ULLONG_MAX will be longer than any array length so that's ok.
*idx = strtoull(path, NULL, 10); *idx = strtoull(path, NULL, 10);
// Check against a maximum to prevent excessive memory allocations.
// An extremely large index, even if it doesn't overflow size_t,
// will cause a huge memory allocation request via realloc,
// leading to an OOM.
if (*idx > JSON_C_POINTER_MAX_ARRAY_IDX)
{
errno = EINVAL;
return 0;
}
return 1; return 1;
} }

8
json_pointer.h
View File

@@ -20,6 +20,14 @@
extern "C" { extern "C" {
#endif #endif
/**
* Maximum array index for JSON Pointer, preventing excessive memory allocations.
* The default value is 10,000,000.
*/
#ifndef JSON_C_POINTER_MAX_ARRAY_IDX
#define JSON_C_POINTER_MAX_ARRAY_IDX 10000000
#endif
/** /**
* Retrieves a JSON sub-object from inside another JSON object * Retrieves a JSON sub-object from inside another JSON object
* using the JSON pointer notation as defined in RFC 6901 * using the JSON pointer notation as defined in RFC 6901