diff options
| author | drh <> | 2023-05-03 06:38:03 +0000 |
|---|---|---|
| committer | drh <> | 2023-05-03 06:38:03 +0000 |
| commit | 681307dc80fbea863772ad602f70c4db640d7435 (patch) | |
| tree | 0e1fa84759386e543977aad4978cd8f2179d209c /src/json.c | |
| parent | 790adfd8ec593efac6dc90d64b3922ec12b26990 (diff) | |
| download | sqlite-681307dc80fbea863772ad602f70c4db640d7435.tar.gz sqlite-681307dc80fbea863772ad602f70c4db640d7435.zip | |
Improved detection of excess recursion on arrays and objects in the JSON
parser. Fixes a problem detected by dbsqlfuzz.
FossilOrigin-Name: d40fd5924adaa8d6b1dd6b9a4087f64d496cf60096ae11c9229c59309c0d4844
Diffstat (limited to 'src/json.c')
| -rw-r--r-- | src/json.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/src/json.c b/src/json.c index acdc5a156..ada8a91c5 100644 --- a/src/json.c +++ b/src/json.c @@ -1080,17 +1080,16 @@ json_parse_restart: /* Parse object */ iThis = jsonParseAddNode(pParse, JSON_OBJECT, 0, 0); if( iThis<0 ) return -1; + if( ++pParse->iDepth > JSON_MAX_DEPTH ){ + pParse->iErr = i; + return -1; + } for(j=i+1;;j++){ - if( ++pParse->iDepth > JSON_MAX_DEPTH ){ - pParse->iErr = j; - return -1; - } x = jsonParseValue(pParse, j); if( x<=0 ){ if( x==(-2) ){ j = pParse->iErr; if( pParse->nNode!=(u32)iThis+1 ) pParse->hasNonstd = 1; - pParse->iDepth--; break; } j += json5Whitespace(&z[j]); @@ -1138,7 +1137,6 @@ json_parse_restart: } parse_object_value: x = jsonParseValue(pParse, j); - pParse->iDepth--; if( x<=0 ){ if( x!=(-1) ) pParse->iErr = j; return -1; @@ -1171,20 +1169,20 @@ json_parse_restart: return -1; } pParse->aNode[iThis].n = pParse->nNode - (u32)iThis - 1; + pParse->iDepth--; return j+1; } case '[': { /* Parse array */ iThis = jsonParseAddNode(pParse, JSON_ARRAY, 0, 0); if( iThis<0 ) return -1; + if( ++pParse->iDepth > JSON_MAX_DEPTH ){ + pParse->iErr = i; + return -1; + } memset(&pParse->aNode[iThis].u, 0, sizeof(pParse->aNode[iThis].u)); for(j=i+1;;j++){ - if( ++pParse->iDepth > JSON_MAX_DEPTH ){ - pParse->iErr = j; - return -1; - } x = jsonParseValue(pParse, j); - pParse->iDepth--; if( x<=0 ){ if( x==(-3) ){ j = pParse->iErr; @@ -1222,6 +1220,7 @@ json_parse_restart: return -1; } pParse->aNode[iThis].n = pParse->nNode - (u32)iThis - 1; + pParse->iDepth--; return j+1; } case '\'': { |