guix/gnu/packages/patches/jansson-CVE-2016-4425.patch

126 lines
101 KiB
Diff
Raw Normal View History

From 64ce0ad3731ebd77e02897b07920eadd0e2cc318 Mon Sep 17 00:00:00 2001
From: Dmitry Janushkevich <gauri@tut.by>
Date: Mon, 2 May 2016 13:59:26 +0200
Subject: [PATCH] Fix for issue #282
The fix limits recursion depths when parsing arrays and objects.
The limit is configurable via the `JSON_PARSER_MAX_DEPTH` setting
within `jansson_config.h` and is set by default to 2048.
Update the RFC conformance document to note the limit; the RFC
allows limits to be set by the implementation so nothing has
actually changed w.r.t. conformance state.
Reported by Gustavo Grieco.
---
android/jansson_config.h | 4 ++++
cmake/jansson_config.h.cmake | 4 ++++
doc/conformance.rst | 10 ++++++++++
src/jansson_config.h.in | 4 ++++
src/load.c | 10 ++++++++++
test/suites/invalid/recursion-depth/error | 2 ++
test/suites/invalid/recursion-depth/input | 1 +
7 files changed, 35 insertions(+)
create mode 100644 test/suites/invalid/recursion-depth/error
create mode 100644 test/suites/invalid/recursion-depth/input
--- a/android/jansson_config.h
+++ b/android/jansson_config.h
@@ -36,4 +36,8 @@
otherwise to 0. */
#define JSON_HAVE_LOCALECONV 0
+/* Maximum recursion depth for parsing JSON input.
+ This limits the depth of e.g. array-within-array constructions. */
+#define JSON_PARSER_MAX_DEPTH 2048
+
#endif
--- a/cmake/jansson_config.h.cmake
+++ b/cmake/jansson_config.h.cmake
@@ -60,5 +60,9 @@
#define JSON_HAVE_LOCALECONV @JSON_HAVE_LOCALECONV@
+/* Maximum recursion depth for parsing JSON input.
+ This limits the depth of e.g. array-within-array constructions. */
+#define JSON_PARSER_MAX_DEPTH 2048
+
#endif
--- a/doc/conformance.rst
+++ b/doc/conformance.rst
@@ -108,3 +108,13 @@
are implicitly handled via the ordinary C type coercion rules (subject
to overflow semantics). Also, no support or hooks are provided for any
supplemental "bignum" type add-on packages.
+
+Depth of nested values
+----------------------
+
+To avoid stack exhaustion, Jansson currently limits the nesting depth
+for arrays and objects to a certain value (default: 2048), defined as
+a macro ``JSON_PARSER_MAX_DEPTH`` within ``jansson_config.h``.
+
+The limit is allowed to be set by the RFC; there is no recommended value
+or required minimum depth to be supported.
--- a/src/jansson_config.h.in
+++ b/src/jansson_config.h.in
@@ -36,4 +36,8 @@
otherwise to 0. */
#define JSON_HAVE_LOCALECONV @json_have_localeconv@
+/* Maximum recursion depth for parsing JSON input.
+ This limits the depth of e.g. array-within-array constructions. */
+#define JSON_PARSER_MAX_DEPTH 2048
+
#endif
--- a/src/load.c
+++ b/src/load.c
@@ -61,6 +61,7 @@
typedef struct {
stream_t stream;
strbuffer_t saved_text;
+ size_t depth;
int token;
union {
struct {
@@ -800,6 +801,12 @@
json_t *json;
double value;
+ lex->depth++;
+ if(lex->depth > JSON_PARSER_MAX_DEPTH) {
+ error_set(error, lex, "maximum parsing depth reached");
+ return NULL;
+ }
+
switch(lex->token) {
case TOKEN_STRING: {
const char *value = lex->value.string.val;
@@ -870,6 +877,7 @@
if(!json)
return NULL;
+ lex->depth--;
return json;
}
@@ -877,6 +885,8 @@
{
json_t *result;
+ lex->depth = 0;
+
lex_scan(lex, error);
if(!(flags & JSON_DECODE_ANY)) {
if(lex->token != '[' && lex->token != '{') {
--- /dev/null
+++ b/test/suites/invalid/recursion-depth/error
@@ -0,0 +1,2 @@
+1 2049 2049
+maximum parsing depth reached near '['
--- /dev/null
+++ b/test/suites/invalid/recursion-depth/input
@@ -0,0 +1 @@
