[systemd-devel] [PATCH 2/5] shared/json: JSON parser + number tokenizer bugfix
Lennart Poettering
mzerqung at 0pointer.de
Mon May 18 05:19:06 PDT 2015
On Mon, 18.05.15 10:45, Pavel Odvody (podvody at redhat.com) wrote:
> > > Yes, it could be handled, but I wouldn't call it nicely :)
> > > Since there's a lot of nested objects / arrays I guess that you'd need
> > > to do the syntactic analysis anyway. It'd be even worse in case some
> > > values would shadow the key names, or some part of the document were
> > > re-ordered.
> >
> > Well, what I really don't like about object parsers is that they might
> > take unbounded memory, which is much less a problem with stream
> > parsers...
> >
> > If we do object model parsing we really need to be careful with
> > enforcing limits on everything...
> >
> > Lennart
> >
>
> Hmm, I could add a function measuring the size of the resulting object.
>
> int json_parse_check(const char* data, size_t *size);
>
> Which accepts a JSON string and outputs the final size on success.
>
> What do you think?
Thinking about it I suspect we are OK without additional checks, as
long as we strictly enforce size limits on the JSON text we download
(and we do so comprehensively afaics). The parsed structures' memory
use is a linear function of the JSON text size, hence this should be
safe already, hence I ignore my earlier comments on this.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list