Ugh, I almost dropped this on the floor. I think it should go into 2.5, and I plan to take it through my tree. If you disagree, please speak up.
We limit nesting depth and input size to defend against input triggering excessive heap or stack memory use (commit 29c75dd json-streamer: limit the maximum recursion depth and maximum token count). This limiting is flawed in multiple ways. Fix it up some. Not yet fixed: this JSON parser is an absurd memory hog; see last patch. v2: * Trivially rebased, R-bys retained * PATCH 3: Fix a nearby comment typo [Eric] * PATCH 4: Simplify make_nest() slightly * PATCH 5: Commit message tweaked Markus Armbruster (4): json-streamer: Apply nesting limit more sanely json-streamer: Don't crash when input exceeds nesting limit check-qjson: Add test for JSON nesting depth limit json-streamer: Limit number of tokens in addition to total size qobject/json-streamer.c | 10 ++++++---- tests/check-qjson.c | 25 +++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 4 deletions(-) -- 2.4.3
