[PATCH v2 4/9] json: Add overflow checks for integer and float parsing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Arun Raghavan <arun at arunraghavan.net>
---
 src/pulse/json.c      | 18 ++++++++++++++++++
 src/tests/json-test.c |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/src/pulse/json.c b/src/pulse/json.c
index 4d5500f..4a8e222 100644
--- a/src/pulse/json.c
+++ b/src/pulse/json.c
@@ -211,6 +211,11 @@ static const char* parse_number(const char *str, pa_json_object *obj) {
     }
 
     while (is_digit(*str)) {
+        if (integer > ((negative ? INT_MAX : UINT_MAX) / 10)) {
+            pa_log("Integer overflow while parsing number");
+            goto error;
+        }
+
         integer = (integer * 10) + (*str - '0');
         str++;
     }
@@ -221,6 +226,11 @@ fraction:
         str++;
 
         while (is_digit(*str)) {
+            if (fraction > (UINT_MAX / 10)) {
+                pa_log("Integer overflow while parsing fractional part of number");
+                goto error;
+            }
+
             fraction = (fraction * 10) + (*str - '0');
             fraction_digits++;
             str++;
@@ -240,6 +250,11 @@ fraction:
             str++;
 
         while (is_digit(*str)) {
+            if (exponent > (INT_MAX / 10)) {
+                pa_log("Integer overflow while parsing exponent part of number");
+                goto error;
+            }
+
             exponent = (exponent * 10) + (*str - '0');
             str++;
         }
@@ -258,6 +273,9 @@ fraction:
     }
 
     return str;
+
+error:
+    return NULL;
 }
 
 static const char *parse_object(const char *str, pa_json_object *obj) {
diff --git a/src/tests/json-test.c b/src/tests/json-test.c
index 7d273d7..a5f1f74 100644
--- a/src/tests/json-test.c
+++ b/src/tests/json-test.c
@@ -220,6 +220,9 @@ START_TEST(bad_test) {
     unsigned int i;
     const char *bad_parse[] = {
         "\"" /* Quote not closed */,
+        "123456789012345678901234567890" /* Overflow */,
+        "0.123456789012345678901234567890" /* Overflow */,
+        "1e123456789012345678901234567890" /* Overflow */,
     };
 
     for (i = 0; i < PA_ELEMENTSOF(bad_parse); i++) {
-- 
2.5.5



[Index of Archives]     [Linux Audio Users]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux