54 lines
2.0 KiB
Diff
54 lines
2.0 KiB
Diff
From e50154f615cbd2a14857a6f68462e3a699be42d8 Mon Sep 17 00:00:00 2001
|
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Date: Sat, 22 Aug 2020 13:09:11 +0200
|
|
Subject: [PATCH] Cap string length at INT_MAX.
|
|
|
|
Several issues occur if a string is longer than INT_MAX:
|
|
|
|
- The function json_object_get_string_len returns the length of a string
|
|
as int. If the string is longer than INT_MAX, the result would be
|
|
negative.
|
|
- That in turn would lead to possible out of boundary access when
|
|
comparing these strings with memcmp and the returned length as done in
|
|
json_object_equal.
|
|
- If json_escape_str is called with such strings, out of boundary
|
|
accesses can occur due to internal int handling (also fixed).
|
|
- The string cannot be printed out due to printbuffer limits at
|
|
INT_MAX (which is still true after this commit).
|
|
|
|
Such huge strings can only be inserted through API calls at this point
|
|
because input files are capped at INT_MAX anyway.
|
|
|
|
Due to huge amount of RAM needed to reproduce these issues I have not
|
|
added test cases.
|
|
---
|
|
json_object.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/json_object.c b/json_object.c
|
|
index f8d14d5aa9..b42026b681 100644
|
|
--- a/json_object.c
|
|
+++ b/json_object.c
|
|
@@ -214,7 +214,7 @@ static inline const char *get_string_component(const struct json_object *jso)
|
|
|
|
static int json_escape_str(struct printbuf *pb, const char *str, size_t len, int flags)
|
|
{
|
|
- int pos = 0, start_offset = 0;
|
|
+ size_t pos = 0, start_offset = 0;
|
|
unsigned char c;
|
|
while (len--)
|
|
{
|
|
@@ -1329,9 +1329,10 @@ static int _json_object_set_string_len(json_object *jso, const char *s, size_t l
|
|
if (jso == NULL || jso->o_type != json_type_string)
|
|
return 0;
|
|
|
|
- if (len >= SSIZE_T_MAX - 1)
|
|
+ if (len >= INT_MAX - 1)
|
|
// jso->len is a signed ssize_t, so it can't hold the
|
|
- // full size_t range.
|
|
+ // full size_t range. json_object_get_string_len returns
|
|
+ // length as int, cap length at INT_MAX.
|
|
return 0;
|
|
|
|
dstbuf = get_string_component_mutable(jso);
|