Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

picojson - Abort on parsing possible DoS #94

Open
dzonerzy opened this issue Feb 7, 2017 · 1 comment
Open

picojson - Abort on parsing possible DoS #94

dzonerzy opened this issue Feb 7, 2017 · 1 comment

Comments

@dzonerzy
Copy link

dzonerzy commented Feb 7, 2017

During a security review of picojson i found an interesting testcase which will crash picojson due to an abort call, the issue seems to be related to how picojson handle numbers with exponent, below a screenshot:

schermata 2017-02-07 alle 01 50 23

i don't investigate further anyway would be nice to have this fixed, let me know if you need more info.

Best Regards,
Daniele

@kazuho
Copy link
Owner

kazuho commented Feb 7, 2017

Thank you for reporting the issue.

At the moment, we indeed throw a std::overflow error when a parsed number is out-of-bounds. https://github.com/kazuho/picojson/blob/master/picojson.h#L230

But I agree that when parsing a JSON string we should better report it as an ordinary parse error instead of an exception.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants