External/json
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

detect size overflow in ubjson and bjdata

Browse Source
This commit is contained in:
Qianqian Fang 2022-06-07 14:45:42 -04:00
parent bccd7aeef2
commit 6a33177460
3 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/nlohmann/detail/input/binary_reader.hpp
View File

@ -2079,6 +2079,11 @@ class binary_reader
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read,
exception_message(input_format, "count in an optimized container must be positive", "size"), nullptr));
}
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = static_cast<std::size_t>(number);
return true;
}
@ -2124,6 +2129,11 @@ class binary_reader
{
return false;
}
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = detail::conditional_static_cast<std::size_t>(number);
return true;
}
@ -2170,7 +2180,7 @@ class binary_reader
result *= i;
if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr));
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr));
}
if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast<number_unsigned_t>(i))))
{

12
single_include/nlohmann/json.hpp
View File

@ -10669,6 +10669,11 @@ class binary_reader
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read,
exception_message(input_format, "count in an optimized container must be positive", "size"), nullptr));
}
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = static_cast<std::size_t>(number);
return true;
}
@ -10714,6 +10719,11 @@ class binary_reader
{
return false;
}
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = detail::conditional_static_cast<std::size_t>(number);
return true;
}
@ -10760,7 +10770,7 @@ class binary_reader
result *= i;
if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr));
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr));
}
if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast<number_unsigned_t>(i))))
{

9
tests/src/unit-bjdata.cpp
View File

@ -2541,7 +2541,14 @@ TEST_CASE("BJData")
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vL), "[json.exception.parse_error.113] parse error at byte 11: syntax error while parsing BJData size: count in an optimized container must be positive", json::parse_error&);
CHECK(json::from_bjdata(vL, true, false).is_discarded());
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.113] parse error at byte 18: syntax error while parsing BJData size: excessive ndarray size caused overflow", json::parse_error&);
if(sizeof(size_t)==4)
{
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.408] parse error at byte 17: syntax error while parsing BJData size: integer value overflow", json::parse_error&);
}
else
{
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.408] parse error at byte 18: syntax error while parsing BJData size: excessive ndarray size caused overflow", json::parse_error&);
}
CHECK(json::from_bjdata(vM, true, false).is_discarded());
}