External/json
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

detect size overflow in ubjson and bjdata

Browse Source
This commit is contained in:
Qianqian Fang 2022-06-07 14:45:42 -04:00
parent bccd7aeef2
commit 6a33177460
3 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/nlohmann/detail/input/binary_reader.hpp
View File

@ -2079,6 +2079,11 @@ class binary_reader
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read,
exception_message(input_format, "count in an optimized container must be positive", "size"), nullptr)); exception_message(input_format, "count in an optimized container must be positive", "size"), nullptr));
} }
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = static_cast<std::size_t>(number); result = static_cast<std::size_t>(number);
return true; return true;
} }
@ -2124,6 +2129,11 @@ class binary_reader
{ {
return false; return false;
} }
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = detail::conditional_static_cast<std::size_t>(number); result = detail::conditional_static_cast<std::size_t>(number);
return true; return true;
} }
@ -2170,7 +2180,7 @@ class binary_reader
result *= i; result *= i;
if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened
{ {
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr)); return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr));
} }
if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast<number_unsigned_t>(i)))) if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast<number_unsigned_t>(i))))
{ {

12
single_include/nlohmann/json.hpp
View File

@ -10669,6 +10669,11 @@ class binary_reader
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read,
exception_message(input_format, "count in an optimized container must be positive", "size"), nullptr)); exception_message(input_format, "count in an optimized container must be positive", "size"), nullptr));
} }
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = static_cast<std::size_t>(number); result = static_cast<std::size_t>(number);
return true; return true;
} }
@ -10714,6 +10719,11 @@ class binary_reader
{ {
return false; return false;
} }
if (number > std::numeric_limits<std::size_t>::max())
{
return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read,
exception_message(input_format, "integer value overflow", "size"), nullptr));
}
result = detail::conditional_static_cast<std::size_t>(number); result = detail::conditional_static_cast<std::size_t>(number);
return true; return true;
} }
@ -10760,7 +10770,7 @@ class binary_reader
result *= i; result *= i;
if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened
{ {
return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr)); return sax->parse_error(chars_read, get_token_string(), parse_error::create(408, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr));
} }
if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast<number_unsigned_t>(i)))) if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast<number_unsigned_t>(i))))
{ {

9
tests/src/unit-bjdata.cpp
View File

@ -2541,7 +2541,14 @@ TEST_CASE("BJData")
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vL), "[json.exception.parse_error.113] parse error at byte 11: syntax error while parsing BJData size: count in an optimized container must be positive", json::parse_error&); CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vL), "[json.exception.parse_error.113] parse error at byte 11: syntax error while parsing BJData size: count in an optimized container must be positive", json::parse_error&);
CHECK(json::from_bjdata(vL, true, false).is_discarded()); CHECK(json::from_bjdata(vL, true, false).is_discarded());
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.113] parse error at byte 18: syntax error while parsing BJData size: excessive ndarray size caused overflow", json::parse_error&); if(sizeof(size_t)==4)
{
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.408] parse error at byte 17: syntax error while parsing BJData size: integer value overflow", json::parse_error&);
}
else
{
CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.408] parse error at byte 18: syntax error while parsing BJData size: excessive ndarray size caused overflow", json::parse_error&);
}
CHECK(json::from_bjdata(vM, true, false).is_discarded()); CHECK(json::from_bjdata(vM, true, false).is_discarded());
} }