diff options
author | Anthony Liguori <aliguori@us.ibm.com> | 2011-06-01 12:14:52 -0500 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2011-06-07 13:52:11 -0500 |
commit | 325601b47b64b33cbe237508df2037e195795497 (patch) | |
tree | c4af4f5c558f7e2d14dca85c69c7a9d3b517e35f | |
parent | 55f8301f7665eeef6d454cf4843c3f67b067f357 (diff) |
json-lexer: limit the maximum size of a given token
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
-rw-r--r-- | json-lexer.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/json-lexer.c b/json-lexer.c index 65c9720d65..fe5a060d4d 100644 --- a/json-lexer.c +++ b/json-lexer.c @@ -18,6 +18,8 @@ #include "qemu-common.h" #include "json-lexer.h" +#define MAX_TOKEN_SIZE (64ULL << 20) + /* * \"([^\\\"]|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*\" * '([^\\']|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*' @@ -309,6 +311,17 @@ static int json_lexer_feed_char(JSONLexer *lexer, char ch) } lexer->state = new_state; } while (!char_consumed); + + /* Do not let a single token grow to an arbitrarily large size, + * this is a security consideration. + */ + if (lexer->token->length > MAX_TOKEN_SIZE) { + lexer->emit(lexer, lexer->token, lexer->state, lexer->x, lexer->y); + QDECREF(lexer->token); + lexer->token = qstring_new(); + lexer->state = IN_START; + } + return 0; } |