Commit 0753113a authored Nov 25, 2015 by Markus Armbruster

qjson: Don't crash when input exceeds nesting limit



We limit nesting depth and input size to defend against input
triggering excessive heap or stack memory use (commit 29c75ddd
json-streamer: limit the maximum recursion depth and maximum token
count).  However, when the nesting limit is exceeded,
parser_context_peek_token()'s assertion fails.

Broken in commit 65c0f1e9 "json-parser: don't replicate tokens at each
level of recursion".

To reproduce stuff 1025 open braces or brackets into QMP.

Fix by taking the error exit instead of the normal one.

Reported-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Message-Id: <1448486613-17634-3-git-send-email-armbru@redhat.com>

parent 4f2d31fb

qobject/json-streamer.c

+3 −2

Original line number	Diff line number	Diff line
		@@ -68,13 +68,14 @@ static void json_message_process_token(JSONLexer lexer, QString token, JSONTok
		/* Security consideration, we limit total memory allocated per object
		* and the maximum recursion depth that a message can force.
		*/
		goto out_emit;
		goto out_emit_bad;
		}

		return;

		out_emit_bad:
		/* clear out token list and tell the parser to emit and error
		/*
		* Clear out token list and tell the parser to emit an error
		* indication by passing it a NULL list
		*/
		QDECREF(parser->tokens);