mirror/json-c
1
0
Fork 0
mirror of https://github.com/json-c/json-c.git synced 2026-04-02 20:09:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Patch to address the following issues:

Browse Source 
* CVE-2013-6371: hash collision denial of service
* CVE-2013-6370: buffer overflow if size_t is larger than int
This commit is contained in:
Michael Clark
2014-04-09 13:48:21 +08:00
parent 784534a31f
commit 64e36901a0
11 changed files with 691 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
json_tokener.c
View File

@@ -81,6 +81,7 @@ static const char* json_tokener_errors[] = {
"object value separator ',' expected",
"invalid string sequence",
"expected comment",
"buffer size overflow"
};
const char *json_tokener_error_desc(enum json_tokener_error jerr)
@@ -243,6 +244,16 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
tok->char_offset = 0;
tok->err = json_tokener_success;
/* this interface is presently not 64-bit clean due to the int len argument
and the internal printbuf interface that takes 32-bit int len arguments
so the function limits the maximum string size to INT32_MAX (2GB).
If the function is called with len == -1 then strlen is called to check
the string length is less than INT32_MAX (2GB) */
if ((len < -1) || (len == -1 && strlen(str) > INT32_MAX)) {
tok->err = json_tokener_error_size;
return NULL;
}
while (PEEK_CHAR(c, tok)) {
redo_char: