From: lone <lonechan314@qq.com>
Date: Sun, 25 Jan 2026 15:54:27 +0000 (+0800)
Subject: Fix: OOM vulnerability cause by is_valid_index
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3d864020283595a147d538f6f8ab1d9f1387fd67;p=thirdparty%2Fjson-c.git

Fix: OOM vulnerability cause by is_valid_index

An OOM vulnerability exists in the json_pointer_set function (and related functions).
See issue #916 for more details.

To fix that, added a sanity check in the is_valid_index function to limit the maximum value of a parsed array index.
Provided a configurable macro for modification.

Signed-off-by: lone <lonechan314@qq.com>
---

diff --git a/json_pointer.c b/json_pointer.c
index 6e5609d..5a3a7ef 100644
--- a/json_pointer.c
+++ b/json_pointer.c
@@ -79,6 +79,16 @@ static int is_valid_index(const char *path, size_t *idx)
 	// but ULLONG_MAX will be longer than any array length so that's ok.
 	*idx = strtoull(path, NULL, 10);
 
+	// Check against a maximum to prevent excessive memory allocations.
+	// An extremely large index, even if it doesn't overflow size_t,
+	// will cause a huge memory allocation request via realloc,
+	// leading to an OOM.
+	if (*idx > JSON_C_POINTER_MAX_ARRAY_IDX)
+	{
+    	errno = EINVAL;
+    	return 0;
+	}
+
 	return 1;
 }
 
diff --git a/json_pointer.h b/json_pointer.h
index dfe1185..a44a0f9 100644
--- a/json_pointer.h
+++ b/json_pointer.h
@@ -20,6 +20,14 @@
 extern "C" {
 #endif
 
+/**
+ * Maximum array index for JSON Pointer, preventing excessive memory allocations.
+ * The default value is 10,000,000.
+ */
+#ifndef JSON_C_POINTER_MAX_ARRAY_IDX
+#define JSON_C_POINTER_MAX_ARRAY_IDX 10000000
+#endif
+
 /**
  * Retrieves a JSON sub-object from inside another JSON object
  * using the JSON pointer notation as defined in RFC 6901