json-lexer: limit the maximum size of a given token

author Anthony Liguori <aliguori@us.ibm.com>

Wed, 1 Jun 2011 17:14:52 +0000 (12:14 -0500)

committer Anthony Liguori <aliguori@us.ibm.com>

Tue, 7 Jun 2011 18:52:11 +0000 (13:52 -0500)
author Anthony Liguori <aliguori@us.ibm.com>
Wed, 1 Jun 2011 17:14:52 +0000 (12:14 -0500)
committer Anthony Liguori <aliguori@us.ibm.com>
Tue, 7 Jun 2011 18:52:11 +0000 (13:52 -0500)
diff --git a/json-lexer.c b/json-lexer.c

index 65c9720d65be3eafcf7cfec6ec9141520c1a846b..fe5a060d4dd1c5cad3fa30ec4cc349f7af5c2a46 100644 (file)
--- a/json-lexer.c
+++ b/json-lexer.c
@@ -18,6 +18,8 @@
  #include "qemu-common.h"
  #include "json-lexer.h"
  
+#define MAX_TOKEN_SIZE (64ULL << 20)
+
  /*
   * \"([^\\\"]|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*\"
   * '([^\\']|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*'
@@ -309,6 +311,17 @@ static int json_lexer_feed_char(JSONLexer *lexer, char ch)
          }
          lexer->state = new_state;
      } while (!char_consumed);
+
+    /* Do not let a single token grow to an arbitrarily large size,
+     * this is a security consideration.
+     */
+    if (lexer->token->length > MAX_TOKEN_SIZE) {
+        lexer->emit(lexer, lexer->token, lexer->state, lexer->x, lexer->y);
+        QDECREF(lexer->token);
+        lexer->token = qstring_new();
+        lexer->state = IN_START;
+    }
+
      return 0;
  }
author	Anthony Liguori <aliguori@us.ibm.com>
	Wed, 1 Jun 2011 17:14:52 +0000 (12:14 -0500)
committer	Anthony Liguori <aliguori@us.ibm.com>
	Tue, 7 Jun 2011 18:52:11 +0000 (13:52 -0500)