git.ipfire.org Git - thirdparty/json-c.git/commit

author	Tobias Stoeckmann <tobias@stoeckmann.org>
	Sat, 22 Aug 2020 11:09:11 +0000 (13:09 +0200)
committer	Tobias Stoeckmann <tobias@stoeckmann.org>
	Sat, 22 Aug 2020 11:16:36 +0000 (13:16 +0200)
commit	e50154f615cbd2a14857a6f68462e3a699be42d8
tree	6b32898bdc488afa5dd6e21aa10146bba943b1f4	tree
parent	583911a66c5b1103e7c98e59ef165631c0cbf290	commit \| diff

Cap string length at INT_MAX.

Several issues occur if a string is longer than INT_MAX:

- The function json_object_get_string_len returns the length of a string
  as int. If the string is longer than INT_MAX, the result would be
  negative.
- That in turn would lead to possible out of boundary access when
  comparing these strings with memcmp and the returned length as done in
  json_object_equal.
- If json_escape_str is called with such strings, out of boundary
  accesses can occur due to internal int handling (also fixed).
- The string cannot be printed out due to printbuffer limits at
  INT_MAX (which is still true after this commit).

Such huge strings can only be inserted through API calls at this point
because input files are capped at INT_MAX anyway.

Due to huge amount of RAM needed to reproduce these issues I have not
added test cases.