From: drh <>
Date: Wed, 3 May 2023 06:38:03 +0000 (+0000)
Subject: Improved detection of excess recursion on arrays and objects in the JSON
X-Git-Tag: version-3.42.0~56
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=681307dc80fbea863772ad602f70c4db640d7435;p=thirdparty%2Fsqlite.git

Improved detection of excess recursion on arrays and objects in the JSON
parser.  Fixes a problem detected by dbsqlfuzz.

FossilOrigin-Name: d40fd5924adaa8d6b1dd6b9a4087f64d496cf60096ae11c9229c59309c0d4844
---

diff --git a/manifest b/manifest
index 27d4f511fe..7fbb70d9a1 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Do\snot\soverflow\sthe\sIndex.aSample[]\sarray\sif\sthe\ssame\sindex\sappears\sin\nthe\ssqlite_stat4\stable\sunder\smultiple\snames\sbecause\sit\sis\sa\sWITHOUT\sROWID\nprimary\skey\sindex.\s\s[forum:/info/537d8ab118df7edd|Forum\spost\s537d8ab118df7edd]
-D 2023-05-03T05:00:10.543
+C Improved\sdetection\sof\sexcess\srecursion\son\sarrays\sand\sobjects\sin\sthe\sJSON\nparser.\s\sFixes\sa\sproblem\sdetected\sby\sdbsqlfuzz.
+D 2023-05-03T06:38:03.879
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -595,7 +595,7 @@ F src/hash.h 3340ab6e1d13e725571d7cee6d3e3135f0779a7d8e76a9ce0a85971fa3953c51
 F src/hwtime.h b638809e083b601b618df877b2e89cb87c2a47a01f4def10be4c4ebb54664ac7
 F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c a8de1db43335fc4946370a7a7e47d89975ad678ddb15078a150e993ba2fb37d4
-F src/json.c 2cbf343884b0f0e7b4c39f8cb8a2dbf4fb49d92161aff4c76a20996d799cbe18
+F src/json.c 7297dbd1d623850578c21bb8a99b87e745d09e14fd36ebc965ace67c86f902b4
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c be5af440f3192c58681b5d43167dbca3ccbfce394d89faa22378a14264781136
 F src/main.c 035be2e9ba2a0fc1701a8ab1880af3001a968a24556433538a6c073558ee4341
@@ -2068,8 +2068,8 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 0bf94c77d97582be5368bcfd149f3db7b9f928b4684aaa2626d98a2bdee8f96f
-R 10c4a6193cf051d317d0d136b4fd36a0
+P 9350a25ac0b55a6b901bc50e4db6d4e883c2617e1d2a8fdc90effabe52bb0012
+R 45a463b95a50344e49894bd782f939f9
 U drh
-Z 7e374cf5088f9e2c791d6b9dcea464ad
+Z e8683fa9e2b198eeacdd4ef8add8ddad
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index ee2634d489..bb81c544f8 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-9350a25ac0b55a6b901bc50e4db6d4e883c2617e1d2a8fdc90effabe52bb0012
\ No newline at end of file
+d40fd5924adaa8d6b1dd6b9a4087f64d496cf60096ae11c9229c59309c0d4844
\ No newline at end of file
diff --git a/src/json.c b/src/json.c
index acdc5a1565..ada8a91c58 100644
--- a/src/json.c
+++ b/src/json.c
@@ -1080,17 +1080,16 @@ json_parse_restart:
     /* Parse object */
     iThis = jsonParseAddNode(pParse, JSON_OBJECT, 0, 0);
     if( iThis<0 ) return -1;
+    if( ++pParse->iDepth > JSON_MAX_DEPTH ){
+      pParse->iErr = i;
+      return -1;
+    }
     for(j=i+1;;j++){
-      if( ++pParse->iDepth > JSON_MAX_DEPTH ){
-        pParse->iErr = j;
-        return -1;
-      }
       x = jsonParseValue(pParse, j);
       if( x<=0 ){
         if( x==(-2) ){
           j = pParse->iErr;
           if( pParse->nNode!=(u32)iThis+1 ) pParse->hasNonstd = 1;
-          pParse->iDepth--;
           break;
         }
         j += json5Whitespace(&z[j]);
@@ -1138,7 +1137,6 @@ json_parse_restart:
       }
     parse_object_value:
       x = jsonParseValue(pParse, j);
-      pParse->iDepth--;
       if( x<=0 ){
         if( x!=(-1) ) pParse->iErr = j;
         return -1;
@@ -1171,20 +1169,20 @@ json_parse_restart:
       return -1;
     }
     pParse->aNode[iThis].n = pParse->nNode - (u32)iThis - 1;
+    pParse->iDepth--;
     return j+1;
   }
   case '[': {
     /* Parse array */
     iThis = jsonParseAddNode(pParse, JSON_ARRAY, 0, 0);
     if( iThis<0 ) return -1;
+    if( ++pParse->iDepth > JSON_MAX_DEPTH ){
+      pParse->iErr = i;
+      return -1;
+    }
     memset(&pParse->aNode[iThis].u, 0, sizeof(pParse->aNode[iThis].u));
     for(j=i+1;;j++){
-      if( ++pParse->iDepth > JSON_MAX_DEPTH ){
-        pParse->iErr = j;
-        return -1;
-      }
       x = jsonParseValue(pParse, j);
-      pParse->iDepth--;
       if( x<=0 ){
         if( x==(-3) ){
           j = pParse->iErr;
@@ -1222,6 +1220,7 @@ json_parse_restart:
       return -1;
     }
     pParse->aNode[iThis].n = pParse->nNode - (u32)iThis - 1;
+    pParse->iDepth--;
     return j+1;
   }
   case '\'': {