diff options
| author | Ezio Melotti <ezio.melotti@gmail.com> | 2011-05-07 14:58:09 (GMT) |
|---|---|---|
| committer | Ezio Melotti <ezio.melotti@gmail.com> | 2011-05-07 14:58:09 (GMT) |
| commit | 362b95102f76d042e7f3865c1ebec5d36c79959a (patch) | |
| tree | a9c0400d35a1806e92ee78378e4aae30f9492791 | |
| parent | 7420b70240586b700f5cadfa0bbdffbbe6cb8e5a (diff) | |
| download | cpython-362b95102f76d042e7f3865c1ebec5d36c79959a.zip cpython-362b95102f76d042e7f3865c1ebec5d36c79959a.tar.gz cpython-362b95102f76d042e7f3865c1ebec5d36c79959a.tar.bz2 | |
#12017: Fix segfault in json.loads() while decoding highly-nested objects using the C accelerations.
| -rw-r--r-- | Lib/json/tests/test_recursion.py | 12 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_json.c | 15 |
3 files changed, 28 insertions, 2 deletions
diff --git a/Lib/json/tests/test_recursion.py b/Lib/json/tests/test_recursion.py index 1e9b8ab..6d5db50 100644 --- a/Lib/json/tests/test_recursion.py +++ b/Lib/json/tests/test_recursion.py @@ -65,3 +65,15 @@ class TestRecursion(TestCase): pass else: self.fail("didn't raise ValueError on default recursion") + + + def test_highly_nested_objects(self): + # test that loading highly-nested objects doesn't segfault when C + # accelerations are used. See #12017 + with self.assertRaises(RuntimeError): + json.loads('{"a":' * 100000 + '1' + '}' * 100000) + with self.assertRaises(RuntimeError): + json.loads('{"a":' * 100000 + '[1]' + '}' * 100000) + with self.assertRaises(RuntimeError): + json.loads('[' * 100000 + '1' + ']' * 100000) + @@ -314,6 +314,9 @@ Library Extensions ---------- +- Issue #12017: Fix segfault in json.loads() while decoding highly-nested + objects using the C accelerations. + - Issue #1838: Prevent segfault in ctypes, when _as_parameter_ on a class is set to an instance of the class. diff --git a/Modules/_json.c b/Modules/_json.c index 4da5e74..7a995a5 100644 --- a/Modules/_json.c +++ b/Modules/_json.c @@ -899,6 +899,7 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_ Returns a new PyObject representation of the term. */ + PyObject *res; Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr); Py_ssize_t length = PyUnicode_GET_SIZE(pystr); if (idx >= length) { @@ -913,10 +914,20 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_ next_idx_ptr); case '{': /* object */ - return _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr); + if (Py_EnterRecursiveCall(" while decoding a JSON object " + "from a unicode string")) + return NULL; + res = _parse_object_unicode(s, pystr, idx + 1, next_idx_ptr); + Py_LeaveRecursiveCall(); + return res; case '[': /* array */ - return _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr); + if (Py_EnterRecursiveCall(" while decoding a JSON array " + "from a unicode string")) + return NULL; + res = _parse_array_unicode(s, pystr, idx + 1, next_idx_ptr); + Py_LeaveRecursiveCall(); + return res; case 'n': /* null */ if ((idx + 3 < length) && str[idx + 1] == 'u' && str[idx + 2] == 'l' && str[idx + 3] == 'l') { |