From e0d3a8a265fc69ecc2c0c859c0e63153bf922877 Mon Sep 17 00:00:00 2001 From: Max Bruckner Date: Thu, 27 Apr 2017 01:48:40 +0200 Subject: [PATCH] Limit nesting depth to 1000 and make it configurable. --- README.md | 4 ++++ cJSON.c | 19 ++++++++++++++++++- cJSON.h | 6 ++++++ tests/misc_tests.c | 15 +++++++++++++++ tests/parse_array.c | 6 ++---- tests/parse_number.c | 3 +-- tests/parse_object.c | 6 ++---- tests/parse_string.c | 6 ++---- tests/parse_value.c | 3 +-- tests/print_array.c | 3 +-- tests/print_object.c | 3 +-- tests/print_value.c | 3 +-- 12 files changed, 54 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 16d056d..6b344cb 100644 --- a/README.md +++ b/README.md @@ -389,6 +389,10 @@ cJSON does not officially support any `double` implementations other than IEE754 The maximum length of a floating point literal that cJSON supports is currently 63 characters. +#### Deep Nesting Of Arrays And Objects + +cJSON doesn't support arrays and objects that are nested too deeply because this would result in a stack overflow. To prevent this cJSON limits the depth to `CJSON_NESTING_LIMIT` which is 1000 by default but can be changed at compile time. + #### Thread Safety In general cJSON is **not thread safe**. diff --git a/cJSON.c b/cJSON.c index a25556d..172e3b6 100644 --- a/cJSON.c +++ b/cJSON.c @@ -202,6 +202,7 @@ typedef struct const unsigned char *content; size_t length; size_t offset; + size_t depth; /* How deeply nested (in arrays/objects) is the input at the current offset. */ } parse_buffer; /* check if the given size is left to read in a given parse buffer (starting with 1) */ @@ -956,7 +957,7 @@ static parse_buffer *buffer_skip_whitespace(parse_buffer * const buffer) /* Parse an object - create a new root, and populate. */ CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated) { - parse_buffer buffer = { 0, 0, 0 }; + parse_buffer buffer = { 0, 0, 0, 0 }; cJSON *item = NULL; /* reset error position */ @@ -1296,6 +1297,12 @@ static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buf cJSON *head = NULL; /* head of the linked list */ cJSON *current_item = NULL; + if (input_buffer->depth >= CJSON_NESTING_LIMIT) + { + return false; /* to deeply nested */ + } + input_buffer->depth++; + if (buffer_at_offset(input_buffer)[0] != '[') { /* not an array */ @@ -1360,6 +1367,8 @@ static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buf } success: + input_buffer->depth--; + item->type = cJSON_Array; item->child = head; @@ -1442,6 +1451,12 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu cJSON *head = NULL; /* linked list head */ cJSON *current_item = NULL; + if (input_buffer->depth >= CJSON_NESTING_LIMIT) + { + return false; /* to deeply nested */ + } + input_buffer->depth++; + if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '{')) { goto fail; /* not an object */ @@ -1522,6 +1537,8 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu } success: + input_buffer->depth--; + item->type = cJSON_Object; item->child = head; diff --git a/cJSON.h b/cJSON.h index 938143f..1ef70f0 100644 --- a/cJSON.h +++ b/cJSON.h @@ -123,6 +123,12 @@ then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJ #endif #endif +/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them. + * This is to prevent stack overflows. */ +#ifndef CJSON_NESTING_LIMIT +#define CJSON_NESTING_LIMIT 1000 +#endif + /* returns the version of cJSON as a string */ CJSON_PUBLIC(const char*) cJSON_Version(void); diff --git a/tests/misc_tests.c b/tests/misc_tests.c index 47dff72..b638e4d 100644 --- a/tests/misc_tests.c +++ b/tests/misc_tests.c @@ -183,6 +183,20 @@ static void typecheck_functions_should_check_type(void) TEST_ASSERT_TRUE(cJSON_IsRaw(item)); } +static void cjson_should_not_parse_to_deeply_nested_jsons(void) +{ + char deep_json[CJSON_NESTING_LIMIT + 1]; + size_t position = 0; + + for (position = 0; position < sizeof(deep_json); position++) + { + deep_json[position] = '['; + } + deep_json[sizeof(deep_json) - 1] = '\0'; + + TEST_ASSERT_NULL_MESSAGE(cJSON_Parse(deep_json), "To deep JSONs should not be parsed."); +} + int main(void) { UNITY_BEGIN(); @@ -192,6 +206,7 @@ int main(void) RUN_TEST(cjson_get_object_item_should_get_object_items); RUN_TEST(cjson_get_object_item_case_sensitive_should_get_object_items); RUN_TEST(typecheck_functions_should_check_type); + RUN_TEST(cjson_should_not_parse_to_deeply_nested_jsons); return UNITY_END(); } diff --git a/tests/parse_array.c b/tests/parse_array.c index a089db5..335d245 100644 --- a/tests/parse_array.c +++ b/tests/parse_array.c @@ -44,10 +44,9 @@ static void assert_is_array(cJSON *array_item) static void assert_not_array(const char *json) { - parse_buffer buffer; + parse_buffer buffer = { 0, 0, 0, 0 }; buffer.content = (const unsigned char*)json; buffer.length = strlen(json) + sizeof(""); - buffer.offset = 0; TEST_ASSERT_FALSE(parse_array(item, &buffer, &global_hooks)); assert_is_invalid(item); @@ -55,10 +54,9 @@ static void assert_not_array(const char *json) static void assert_parse_array(const char *json) { - parse_buffer buffer; + parse_buffer buffer = { 0, 0, 0, 0 }; buffer.content = (const unsigned char*)json; buffer.length = strlen(json) + sizeof(""); - buffer.offset = 0; TEST_ASSERT_TRUE(parse_array(item, &buffer, &global_hooks)); assert_is_array(item); diff --git a/tests/parse_number.c b/tests/parse_number.c index aeaa0c7..29175bd 100644 --- a/tests/parse_number.c +++ b/tests/parse_number.c @@ -45,10 +45,9 @@ static void assert_is_number(cJSON *number_item) static void assert_parse_number(const char *string, int integer, double real) { - parse_buffer buffer; + parse_buffer buffer = { 0, 0, 0, 0 }; buffer.content = (const unsigned char*)string; buffer.length = strlen(string) + sizeof(""); - buffer.offset = 0; TEST_ASSERT_TRUE(parse_number(item, &buffer)); assert_is_number(item); diff --git a/tests/parse_object.c b/tests/parse_object.c index 4973b93..622254d 100644 --- a/tests/parse_object.c +++ b/tests/parse_object.c @@ -52,10 +52,9 @@ static void assert_is_child(cJSON *child_item, const char *name, int type) static void assert_not_object(const char *json) { - parse_buffer parsebuffer; + parse_buffer parsebuffer = { 0, 0, 0, 0 }; parsebuffer.content = (const unsigned char*)json; parsebuffer.length = strlen(json) + sizeof(""); - parsebuffer.offset = 0; TEST_ASSERT_FALSE(parse_object(item, &parsebuffer, &global_hooks)); assert_is_invalid(item); @@ -64,10 +63,9 @@ static void assert_not_object(const char *json) static void assert_parse_object(const char *json) { - parse_buffer parsebuffer; + parse_buffer parsebuffer = { 0, 0, 0, 0 }; parsebuffer.content = (const unsigned char*)json; parsebuffer.length = strlen(json) + sizeof(""); - parsebuffer.offset = 0; TEST_ASSERT_TRUE(parse_object(item, &parsebuffer, &global_hooks)); assert_is_object(item); diff --git a/tests/parse_string.c b/tests/parse_string.c index a95e078..d03d945 100644 --- a/tests/parse_string.c +++ b/tests/parse_string.c @@ -45,10 +45,9 @@ static void assert_is_string(cJSON *string_item) static void assert_parse_string(const char *string, const char *expected) { - parse_buffer buffer; + parse_buffer buffer = { 0, 0, 0, 0 }; buffer.content = (const unsigned char*)string; buffer.length = strlen(string) + sizeof(""); - buffer.offset = 0; TEST_ASSERT_TRUE_MESSAGE(parse_string(item, &buffer, &global_hooks), "Couldn't parse string."); assert_is_string(item); @@ -59,10 +58,9 @@ static void assert_parse_string(const char *string, const char *expected) static void assert_not_parse_string(const char * const string) { - parse_buffer buffer; + parse_buffer buffer = { 0, 0, 0, 0 }; buffer.content = (const unsigned char*)string; buffer.length = strlen(string) + sizeof(""); - buffer.offset = 0; TEST_ASSERT_FALSE_MESSAGE(parse_string(item, &buffer, &global_hooks), "Malformed string should not be accepted."); assert_is_invalid(item); diff --git a/tests/parse_value.c b/tests/parse_value.c index 7a10dbf..4910af9 100644 --- a/tests/parse_value.c +++ b/tests/parse_value.c @@ -43,10 +43,9 @@ static void assert_is_value(cJSON *value_item, int type) static void assert_parse_value(const char *string, int type) { - parse_buffer buffer; + parse_buffer buffer = { 0, 0, 0, 0 }; buffer.content = (const unsigned char*) string; buffer.length = strlen(string) + sizeof(""); - buffer.offset = 0; TEST_ASSERT_TRUE(parse_value(item, &buffer, &global_hooks)); assert_is_value(item, type); } diff --git a/tests/print_array.c b/tests/print_array.c index c0b4e05..41805d8 100644 --- a/tests/print_array.c +++ b/tests/print_array.c @@ -34,10 +34,9 @@ static void assert_print_array(const char * const expected, const char * const i printbuffer formatted_buffer; printbuffer unformatted_buffer; - parse_buffer parsebuffer; + parse_buffer parsebuffer = { 0, 0, 0, 0 }; parsebuffer.content = (const unsigned char*)input; parsebuffer.length = strlen(input) + sizeof(""); - parsebuffer.offset = 0; /* buffer for formatted printing */ formatted_buffer.buffer = printed_formatted; diff --git a/tests/print_object.c b/tests/print_object.c index 5b4e34b..3889823 100644 --- a/tests/print_object.c +++ b/tests/print_object.c @@ -33,12 +33,11 @@ static void assert_print_object(const char * const expected, const char * const printbuffer formatted_buffer; printbuffer unformatted_buffer; - parse_buffer parsebuffer; + parse_buffer parsebuffer = { 0, 0, 0, 0 }; /* buffer for parsing */ parsebuffer.content = (const unsigned char*)input; parsebuffer.length = strlen(input) + sizeof(""); - parsebuffer.offset = 0; /* buffer for formatted printing */ formatted_buffer.buffer = printed_formatted; diff --git a/tests/print_value.c b/tests/print_value.c index 56614d0..12ac261 100644 --- a/tests/print_value.c +++ b/tests/print_value.c @@ -33,7 +33,7 @@ static void assert_print_value(const char *input) unsigned char printed[1024]; cJSON item[1]; printbuffer buffer; - parse_buffer parsebuffer; + parse_buffer parsebuffer = { 0, 0, 0, 0 }; buffer.buffer = printed; buffer.length = sizeof(printed); buffer.offset = 0; @@ -41,7 +41,6 @@ static void assert_print_value(const char *input) parsebuffer.content = (const unsigned char*)input; parsebuffer.length = strlen(input) + sizeof(""); - parsebuffer.offset = 0; memset(item, 0, sizeof(item)); -- GitLab