summaryrefslogtreecommitdiff
path: root/json-lexer.c
diff options
context:
space:
mode:
authorAnthony Liguori <aliguori@us.ibm.com>2011-06-01 12:14:52 -0500
committerAnthony Liguori <aliguori@us.ibm.com>2011-06-07 13:52:11 -0500
commit325601b47b64b33cbe237508df2037e195795497 (patch)
treec4af4f5c558f7e2d14dca85c69c7a9d3b517e35f /json-lexer.c
parent55f8301f7665eeef6d454cf4843c3f67b067f357 (diff)
downloadqemu-325601b47b64b33cbe237508df2037e195795497.tar.gz
qemu-325601b47b64b33cbe237508df2037e195795497.tar.bz2
qemu-325601b47b64b33cbe237508df2037e195795497.zip
json-lexer: limit the maximum size of a given token
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'json-lexer.c')
-rw-r--r--json-lexer.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/json-lexer.c b/json-lexer.c
index 65c9720d65..fe5a060d4d 100644
--- a/json-lexer.c
+++ b/json-lexer.c
@@ -18,6 +18,8 @@
#include "qemu-common.h"
#include "json-lexer.h"
+#define MAX_TOKEN_SIZE (64ULL << 20)
+
/*
* \"([^\\\"]|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*\"
* '([^\\']|(\\\"\\'\\\\\\/\\b\\f\\n\\r\\t\\u[0-9a-fA-F][0-9a-fA-F][0-9a-fA-F][0-9a-fA-F]))*'
@@ -309,6 +311,17 @@ static int json_lexer_feed_char(JSONLexer *lexer, char ch)
}
lexer->state = new_state;
} while (!char_consumed);
+
+ /* Do not let a single token grow to an arbitrarily large size,
+ * this is a security consideration.
+ */
+ if (lexer->token->length > MAX_TOKEN_SIZE) {
+ lexer->emit(lexer, lexer->token, lexer->state, lexer->x, lexer->y);
+ QDECREF(lexer->token);
+ lexer->token = qstring_new();
+ lexer->state = IN_START;
+ }
+
return 0;
}