Added a nesting limit to the parser to prevent stack overflow that could be a security issue

2025-11-01 00:38:27 +01:00 · 2014-11-06 10:24:37 +01:00
parent 2e4dd2d591
commit a3425a6306
5 changed files with 104 additions and 7 deletions
--- a/include/ArduinoJson/JsonBuffer.hpp
+++ b/include/ArduinoJson/JsonBuffer.hpp
@@ -19,9 +19,11 @@ class JsonBuffer {
  JsonArray &createArray();
  JsonObject &createObject();

-  JsonArray &parseArray(char *json);
-  JsonObject &parseObject(char *json);
+  JsonArray &parseArray(char *json, uint8_t nestingLimit = DEFAULT_LIMIT);
+  JsonObject &parseObject(char *json, uint8_t nestingLimit = DEFAULT_LIMIT);

  virtual void *alloc(size_t size) = 0;
+
+  static const uint8_t DEFAULT_LIMIT = 10;
 };
 }