balloon: Simplify code flow

[qemu.git] / json-streamer.c

diff --git a/json-streamer.c b/json-streamer.c
index 610ffea6db33707ed9e70ea0448e5f01c9e75717..c255c7818f3af4c6cd9dfca71ee55e8dd63bbb7c 100644 (file)
--- a/json-streamer.c
+++ b/json-streamer.c
@@ -18,6 +18,9 @@
 #include "json-lexer.h"
 #include "json-streamer.h"
 
+#define MAX_TOKEN_SIZE (64ULL << 20)
+#define MAX_NESTING (1ULL << 10)
+
 static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTokenType type, int x, int y)
 {
     JSONMessageParser *parser = container_of(lexer, JSONMessageParser, lexer);
@@ -43,20 +46,50 @@ static void json_message_process_token(JSONLexer *lexer, QString *token, JSONTok
     }
 
     dict = qdict_new();
-    qdict_put_obj(dict, "type", QOBJECT(qint_from_int(type)));
+    qdict_put(dict, "type", qint_from_int(type));
     QINCREF(token);
-    qdict_put_obj(dict, "token", QOBJECT(token));
-    qdict_put_obj(dict, "x", QOBJECT(qint_from_int(x)));
-    qdict_put_obj(dict, "y", QOBJECT(qint_from_int(y)));
+    qdict_put(dict, "token", token);
+    qdict_put(dict, "x", qint_from_int(x));
+    qdict_put(dict, "y", qint_from_int(y));
+
+    parser->token_size += token->length;
 
     qlist_append(parser->tokens, dict);
 
-    if (parser->brace_count == 0 &&
-        parser->bracket_count == 0) {
-        parser->emit(parser, parser->tokens);
+    if (type == JSON_ERROR) {
+        goto out_emit_bad;
+    } else if (parser->brace_count < 0 ||
+        parser->bracket_count < 0 ||
+        (parser->brace_count == 0 &&
+         parser->bracket_count == 0)) {
+        goto out_emit;
+    } else if (parser->token_size > MAX_TOKEN_SIZE ||
+               parser->bracket_count > MAX_NESTING ||
+               parser->brace_count > MAX_NESTING) {
+        /* Security consideration, we limit total memory allocated per object
+         * and the maximum recursion depth that a message can force.
+         */
+        goto out_emit;
+    }
+
+    return;
+
+out_emit_bad:
+    /* clear out token list and tell the parser to emit and error
+     * indication by passing it a NULL list
+     */
+    QDECREF(parser->tokens);
+    parser->tokens = NULL;
+out_emit:
+    /* send current list of tokens to parser and reset tokenizer */
+    parser->brace_count = 0;
+    parser->bracket_count = 0;
+    parser->emit(parser, parser->tokens);
+    if (parser->tokens) {
         QDECREF(parser->tokens);
-        parser->tokens = qlist_new();
     }
+    parser->tokens = qlist_new();
+    parser->token_size = 0;
 }
 
 void json_message_parser_init(JSONMessageParser *parser,
@@ -66,6 +99,7 @@ void json_message_parser_init(JSONMessageParser *parser,
     parser->brace_count = 0;
     parser->bracket_count = 0;
     parser->tokens = qlist_new();
+    parser->token_size = 0;
 
     json_lexer_init(&parser->lexer, json_message_process_token);
 }