qjson: Don't crash when input exceeds nesting limit

We limit nesting depth and input size to defend against input triggering excessive heap or stack memory use (commit 29c75dd json-streamer: limit the maximum recursion depth and maximum token count). However, when the nesting limit is exceeded, parser_context_peek_token()'s assertion fails. Broken in commit 65c0f1e "json-parser: don't replicate tokens at each level of recursion". To reproduce stuff 1025 open braces or brackets into QMP. Fix by taking the error exit instead of the normal one. Reported-by: Eric Blake <eblake@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Message-Id: <1448486613-17634-3-git-send-email-armbru@redhat.com>
2024-11-23 19:49:43 +00:00 · 2015-11-25 22:23:23 +01:00 · 2015-11-25 22:23:23 +01:00 · 0753113a26
commit 0753113a26
parent 4f2d31fbc0
1 changed files with 3 additions and 2 deletions
--- a/qobject/json-streamer.c
+++ b/qobject/json-streamer.c
@ -68,13 +68,14 @@ static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTok
        /* Security consideration, we limit total memory allocated per object
         * and the maximum recursion depth that a message can force.
         */
-        goto out_emit;
+        goto out_emit_bad;
    }

    return;

 out_emit_bad:
-    /* clear out token list and tell the parser to emit and error
+    /*
+     * Clear out token list and tell the parser to emit an error
     * indication by passing it a NULL list
     */
    QDECREF(parser->tokens);