From bccd7aeef20efffd1eb8fdf191b8533759565133 Mon Sep 17 00:00:00 2001 From: Qianqian Fang Date: Mon, 6 Jun 2022 13:37:47 -0400 Subject: [PATCH] Fix ndarray dimension signness, fix ndarray length overflow, close #3519 --- include/nlohmann/detail/input/binary_reader.hpp | 6 +++++- single_include/nlohmann/json.hpp | 6 +++++- tests/src/unit-bjdata.cpp | 8 ++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/include/nlohmann/detail/input/binary_reader.hpp b/include/nlohmann/detail/input/binary_reader.hpp index cbcb41588..ad5786afa 100644 --- a/include/nlohmann/detail/input/binary_reader.hpp +++ b/include/nlohmann/detail/input/binary_reader.hpp @@ -2168,7 +2168,11 @@ class binary_reader for (auto i : dim) { result *= i; - if (JSON_HEDLEY_UNLIKELY(!sax->number_integer(static_cast(i)))) + if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened + { + return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr)); + } + if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast(i)))) { return false; } diff --git a/single_include/nlohmann/json.hpp b/single_include/nlohmann/json.hpp index 2837e74b9..d480b87b0 100644 --- a/single_include/nlohmann/json.hpp +++ b/single_include/nlohmann/json.hpp @@ -10758,7 +10758,11 @@ class binary_reader for (auto i : dim) { result *= i; - if (JSON_HEDLEY_UNLIKELY(!sax->number_integer(static_cast(i)))) + if (result == 0) // because dim elements shall not have zeros, result = 0 means overflow happened + { + return sax->parse_error(chars_read, get_token_string(), parse_error::create(113, chars_read, exception_message(input_format, "excessive ndarray size caused overflow", "size"), nullptr)); + } + if (JSON_HEDLEY_UNLIKELY(!sax->number_unsigned(static_cast(i)))) { return false; } diff --git a/tests/src/unit-bjdata.cpp b/tests/src/unit-bjdata.cpp index a2ea7820f..558be74f8 100644 --- a/tests/src/unit-bjdata.cpp +++ b/tests/src/unit-bjdata.cpp @@ -2511,6 +2511,7 @@ TEST_CASE("BJData") std::vector vI = {'[', '#', 'I', 0x00, 0xF1}; std::vector vl = {'[', '#', 'l', 0x00, 0x00, 0x00, 0xF2}; std::vector vL = {'[', '#', 'L', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF3}; + std::vector vM = {'[', '$', 'M', '#', '[', 'I', 0x00, 0x20, 'M', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0xFF, ']'}; json _; CHECK_THROWS_WITH_AS(_ = json::from_bjdata(v1), "[json.exception.parse_error.113] parse error at byte 4: syntax error while parsing BJData size: count in an optimized container must be positive", json::parse_error&); @@ -2535,10 +2536,13 @@ TEST_CASE("BJData") CHECK(json::from_bjdata(vI, true, false).is_discarded()); CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vl), "[json.exception.parse_error.113] parse error at byte 7: syntax error while parsing BJData size: count in an optimized container must be positive", json::parse_error&); - CHECK(json::from_bjdata(vI, true, false).is_discarded()); + CHECK(json::from_bjdata(vl, true, false).is_discarded()); CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vL), "[json.exception.parse_error.113] parse error at byte 11: syntax error while parsing BJData size: count in an optimized container must be positive", json::parse_error&); - CHECK(json::from_bjdata(vI, true, false).is_discarded()); + CHECK(json::from_bjdata(vL, true, false).is_discarded()); + + CHECK_THROWS_WITH_AS(_ = json::from_bjdata(vM), "[json.exception.parse_error.113] parse error at byte 18: syntax error while parsing BJData size: excessive ndarray size caused overflow", json::parse_error&); + CHECK(json::from_bjdata(vM, true, false).is_discarded()); } SECTION("do not accept NTFZ markers in ndarray optimized type (with count)")