Fix: OOM vulnerability cause by is_valid_index

An OOM vulnerability exists in the json_pointer_set function (and related functions).
See issue #916 for more details.

To fix that, added a sanity check in the is_valid_index function to limit the maximum value of a parsed array index.
Provided a configurable macro for modification.

Signed-off-by: lone <lonechan314@qq.com>

diff --git a/json_pointer.c b/json_pointer.c
index 6e5609d7005c648966a4e79047d286b69f3754e3..5a3a7efa05060981050e8cd2a1fa1be7d044e8c9 100644 (file)
--- a/json_pointer.c
+++ b/json_pointer.c
@@ -79,6 +79,16 @@ static int is_valid_index(const char *path, size_t *idx)
        // but ULLONG_MAX will be longer than any array length so that's ok.
        *idx = strtoull(path, NULL, 10);
 
+       // Check against a maximum to prevent excessive memory allocations.
+       // An extremely large index, even if it doesn't overflow size_t,
+       // will cause a huge memory allocation request via realloc,
+       // leading to an OOM.
+       if (*idx > JSON_C_POINTER_MAX_ARRAY_IDX)
+       {
+       errno = EINVAL;
+       return 0;
+       }
+
        return 1;
 }
 

diff --git a/json_pointer.h b/json_pointer.h
index dfe1185474e93ad8ef02275b0e4bbbd9aceb458c..a44a0f9d245638cb0341640ac2e4557050719a01 100644 (file)
--- a/json_pointer.h
+++ b/json_pointer.h
@@ -20,6 +20,14 @@
 extern "C" {
 #endif
 
+/**
+ * Maximum array index for JSON Pointer, preventing excessive memory allocations.
+ * The default value is 10,000,000.
+ */
+#ifndef JSON_C_POINTER_MAX_ARRAY_IDX
+#define JSON_C_POINTER_MAX_ARRAY_IDX 10000000
+#endif
+
 /**
  * Retrieves a JSON sub-object from inside another JSON object
  * using the JSON pointer notation as defined in RFC 6901