fix security hole for string-key-lengths > 2^30

cdunn2001 · cdunn2001 · commit 2d653bd15dd3 · 2015-03-03T00:14:54.000-06:00
diff --git a/src/lib_json/json_reader.cpp b/src/lib_json/json_reader.cpp
@@ -1430,6 +1430,7 @@ bool OurReader::readObject(Token& tokenStart) {
       return addErrorAndRecover(
           "Missing ':' after object member name", colon, tokenObjectEnd);
     }
+    if (name.length() >= (1U<<30)) throw std::runtime_error("keylength >= 2^30");
     Value& value = currentValue()[name];
     nodes_.push(&value);
     bool ok = readValue();
diff --git a/src/lib_json/json_value.cpp b/src/lib_json/json_value.cpp
@@ -191,8 +191,6 @@ void Value::CommentInfo::setComment(const char* text, size_t len) {
 
 // Notes: policy_ indicates if the string was allocated when
 // a string is stored.
-//
-// TODO: Check for length > 1GB, in Reader.
 
 Value::CZString::CZString(ArrayIndex index) : cstr_(0), index_(index) {}
 

Original file line number	Diff line number	Diff line change
`@@ -1430,6 +1430,7 @@ bool OurReader::readObject(Token& tokenStart) {`
`1430`	`1430`	`return addErrorAndRecover(`
`1431`	`1431`	`"Missing ':' after object member name", colon, tokenObjectEnd);`
`1432`	`1432`	`}`
	`1433`	`+ if (name.length() >= (1U<<30)) throw std::runtime_error("keylength >= 2^30");`
`1433`	`1434`	`Value& value = currentValue()[name];`
`1434`	`1435`	`nodes_.push(&value);`
`1435`	`1436`	`bool ok = readValue();`