Commit 362b9510 authored by Ezio Melotti's avatar Ezio Melotti

#12017: Fix segfault in json.loads() while decoding highly-nested objects...

#12017: Fix segfault in json.loads() while decoding highly-nested objects using the C accelerations.
parent 7420b702
......@@ -65,3 +65,15 @@ class TestRecursion(TestCase):
pass
else:
self.fail("didn't raise ValueError on default recursion")
def test_highly_nested_objects(self):
# test that loading highly-nested objects doesn't segfault when C
# accelerations are used. See #12017
with self.assertRaises(RuntimeError):
json.loads('{"a":' * 100000 + '1' + '}' * 100000)
with self.assertRaises(RuntimeError):
json.loads('{"a":' * 100000 + '[1]' + '}' * 100000)
with self.assertRaises(RuntimeError):
json.loads('[' * 100000 + '1' + ']' * 100000)
......@@ -314,6 +314,9 @@ Library
Extensions
----------
- Issue #12017: Fix segfault in json.loads() while decoding highly-nested
objects using the C accelerations.
- Issue #1838: Prevent segfault in ctypes, when _as_parameter_ on a class is set
to an instance of the class.
......
......@@ -899,6 +899,7 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
Returns a new PyObject representation of the term.
*/
PyObject *res;
Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
if (idx >= length) {
......@@ -913,10 +914,20 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
next_idx_ptr);
case '{':
/* object */
return _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr);
if (Py_EnterRecursiveCall(" while decoding a JSON object "
"from a unicode string"))
return NULL;
res = _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr);
Py_LeaveRecursiveCall();
return res;
case '[':
/* array */
return _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr);
if (Py_EnterRecursiveCall(" while decoding a JSON array "
"from a unicode string"))
return NULL;
res = _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr);
Py_LeaveRecursiveCall();
return res;
case 'n':
/* null */
if ((idx + 3 < length) && str[idx + 1] == 'u' && str[idx + 2] == 'l' && str[idx + 3] == 'l') {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment