#12017: Fix segfault in json.loads() while decoding highly-nested objects...

#12017: Fix segfault in json.loads() while decoding highly-nested objects using the C accelerations.

#12017: Fix segfault in json.loads() while decoding highly-nested objects...
#12017: Fix segfault in json.loads() while decoding highly-nested objects using the C accelerations.
cec46495 · Ezio Melotti · 5ae6c42f · cec46495 · cec46495 · cec46495
Commit cec46495 authored May 07, 2011 by Ezio Melotti
Hide whitespace changes
Inline Side-by-side

Showing with 48 additions and 4 deletions

Lib/json/tests/test_recursion.py Lib/json/tests/test_recursion.py +19 -0

Misc/NEWS Misc/NEWS +3 -0

Modules/_json.c Modules/_json.c +26 -4

No files found.
--- a/Lib/json/tests/test_recursion.py
+++ b/Lib/json/tests/test_recursion.py
@@ -65,3 +65,22 @@ class TestRecursion(TestCase):
            pass
        else:
            self.fail("didn't raise ValueError on default recursion")
+    def test_highly_nested_objects(self):
+        # test that loading highly-nested objects doesn't segfault when C
+        # accelerations are used. See #12017
+        # str
+        with self.assertRaises(RuntimeError):
+            json.loads('{"a":' * 100000 + '1' + '}' * 100000)
+        with self.assertRaises(RuntimeError):
+            json.loads('{"a":' * 100000 + '[1]' + '}' * 100000)
+        with self.assertRaises(RuntimeError):
+            json.loads('[' * 100000 + '1' + ']' * 100000)
+        # unicode
+        with self.assertRaises(RuntimeError):
+            json.loads(u'{"a":' * 100000 + u'1' + u'}' * 100000)
+        with self.assertRaises(RuntimeError):
+            json.loads(u'{"a":' * 100000 + u'[1]' + u'}' * 100000)
+        with self.assertRaises(RuntimeError):
+            json.loads(u'[' * 100000 + u'1' + u']' * 100000)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -358,6 +358,9 @@ Library
 Extension Modules
 -----------------
+- Issue #12017: Fix segfault in json.loads() while decoding highly-nested
+  objects using the C accelerations.
 - Issue #1838: Prevent segfault in ctypes, when _as_parameter_ on a class is set
  to an instance of the class.

--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -1488,6 +1488,7 @@ scan_once_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *n
    Returns a new PyObject representation of the term.
    */
+    PyObject *res;
    char *str = PyString_AS_STRING(pystr);
    Py_ssize_t length = PyString_GET_SIZE(pystr);
    if (idx >= length) {
@@ -1503,10 +1504,20 @@ scan_once_str(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_t *n
                next_idx_ptr);
        case '{':
            /* object */
-            return _parse_object_str(s, pystr, idx + 1, next_idx_ptr);
+            if (Py_EnterRecursiveCall(" while decoding a JSON object "
+                                      "from a byte string"))
+                return NULL;
+            res = _parse_object_str(s, pystr, idx + 1, next_idx_ptr);
+            Py_LeaveRecursiveCall();
+            return res;
        case '[':
            /* array */
-            return _parse_array_str(s, pystr, idx + 1, next_idx_ptr);
+            if (Py_EnterRecursiveCall(" while decoding a JSON array "
+                                      "from a byte string"))
+                return NULL;
+            res = _parse_array_str(s, pystr, idx + 1, next_idx_ptr);
+            Py_LeaveRecursiveCall();
+            return res;
        case 'n':
            /* null */
            if ((idx + 3 < length) && str[idx + 1] == 'u' && str[idx + 2] == 'l' && str[idx + 3] == 'l') {
@@ -1564,6 +1575,7 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
    Returns a new PyObject representation of the term.
    */
+    PyObject *res;
    Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
    Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
    if (idx >= length) {
@@ -1578,10 +1590,20 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
                next_idx_ptr);
        case '{':
            /* object */
-            return _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr);
+            if (Py_EnterRecursiveCall(" while decoding a JSON object "
+                                      "from a unicode string"))
+                return NULL;
+            res = _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr);
+            Py_LeaveRecursiveCall();
+            return res;
        case '[':
            /* array */
-            return _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr);
+            if (Py_EnterRecursiveCall(" while decoding a JSON array "
+                                      "from a unicode string"))
+                return NULL;
+            res = _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr);
+            Py_LeaveRecursiveCall();
+            return res;
        case 'n':
            /* null */
            if ((idx + 3 < length) && str[idx + 1] == 'u' && str[idx + 2] == 'l' && str[idx + 3] == 'l') {