mirror/json-c
1
0
Fork 0
mirror of https://github.com/json-c/json-c.git synced 2026-04-12 00:39:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix various potential null ptr deref and int32 overflows

Browse Source 
This fix errors that can happen when ingesting very large JSON files
when hitting the maximum heap size of the process.
This commit is contained in:
Even Rouault
2016-01-11 12:15:54 +01:00
parent 537f8bcbdb
commit 77a4276a8c
3 changed files with 38 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
json_tokener.c
View File

@@ -286,11 +286,15 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
state = json_tokener_state_eatws;
saved_state = json_tokener_state_object_field_start;
current = json_object_new_object();
if(current == NULL)
goto out;
break;
case '[':
state = json_tokener_state_eatws;
saved_state = json_tokener_state_array;
current = json_object_new_array();
if(current == NULL)
goto out;
break;
case 'I':
case 'i':
@@ -376,6 +380,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
if (tok->st_pos == json_inf_str_len)
{
current = json_object_new_double(is_negative ? -INFINITY : INFINITY);
if(current == NULL)
goto out;
saved_state = json_tokener_state_finish;
state = json_tokener_state_eatws;
goto redo_char;
@@ -413,6 +419,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
if (tok->st_pos == json_nan_str_len)
{
current = json_object_new_double(NAN);
if (current == NULL)
goto out;
saved_state = json_tokener_state_finish;
state = json_tokener_state_eatws;
goto redo_char;
@@ -486,6 +494,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
if(c == tok->quote_char) {
printbuf_memappend_fast(tok->pb, case_start, str-case_start);
current = json_object_new_string_len(tok->pb->buf, tok->pb->bpos);
if(current == NULL)
goto out;
saved_state = json_tokener_state_finish;
state = json_tokener_state_eatws;
break;
@@ -646,6 +656,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
) {
if(tok->st_pos == json_true_str_len) {
current = json_object_new_boolean(1);
if(current == NULL)
goto out;
saved_state = json_tokener_state_finish;
state = json_tokener_state_eatws;
goto redo_char;
@@ -655,6 +667,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
|| (strncmp(json_false_str, tok->pb->buf, size2) == 0)) {
if(tok->st_pos == json_false_str_len) {
current = json_object_new_boolean(0);
if(current == NULL)
goto out;
saved_state = json_tokener_state_finish;
state = json_tokener_state_eatws;
goto redo_char;
@@ -737,10 +751,14 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
goto out;
}
current = json_object_new_int64(num64);
if(current == NULL)
goto out;
}
else if(tok->is_double && json_parse_double(tok->pb->buf, &numd) == 0)
{
current = json_object_new_double_s(numd, tok->pb->buf);
if(current == NULL)
goto out;
} else {
tok->err = json_tokener_error_parse_number;
goto out;
@@ -775,7 +793,8 @@ struct json_object* json_tokener_parse_ex(struct json_tokener *tok,
break;
case json_tokener_state_array_add:
json_object_array_add(current, obj);
if( json_object_array_add(current, obj) != 0 )
goto out;
saved_state = json_tokener_state_array_sep;
state = json_tokener_state_eatws;
goto redo_char;