From df3af446e7d9d42230a2ec71984ee19260af5c66 Mon Sep 17 00:00:00 2001 From: Simon Date: Fri, 26 Aug 2016 23:35:45 -0700 Subject: [PATCH 1/2] Fixes #1122 where json_spirit could stack overflow because there was no maximum limit set on the number of nested compound elements. --- src/Makefile.gtest.include | 1 + src/gtest/test_jsonspirit.cpp | 17 +++++++++++++++++ src/json/json_spirit_reader_template.h | 6 ++++++ 3 files changed, 24 insertions(+) create mode 100644 src/gtest/test_jsonspirit.cpp diff --git a/src/Makefile.gtest.include b/src/Makefile.gtest.include index 8e22ed397..388c7697c 100644 --- a/src/Makefile.gtest.include +++ b/src/Makefile.gtest.include @@ -5,6 +5,7 @@ bin_PROGRAMS += zcash-gtest zcash_gtest_SOURCES = \ gtest/main.cpp \ gtest/json_test_vectors.cpp \ + gtest/test_jsonspirit.cpp \ gtest/test_tautology.cpp \ gtest/test_checktransaction.cpp \ gtest/test_equihash.cpp \ diff --git a/src/gtest/test_jsonspirit.cpp b/src/gtest/test_jsonspirit.cpp new file mode 100644 index 000000000..f93e8d459 --- /dev/null +++ b/src/gtest/test_jsonspirit.cpp @@ -0,0 +1,17 @@ +#include + +#include "json/json_spirit_reader_template.h" + +using namespace json_spirit; + +// This test checks if we have fixed a stack overflow problem with json_spirit. +// It was possible to try and create an unlimited number of nested compound elements. +// Without the fix in json_spirit_reader_template.h, this test will segfault. +TEST(json_spirit_tests, nested_input_segfault) { + std::vector v (100000); + std::fill (v.begin(),v.end(), '['); + std::string s(v.begin(), v.end()); + Value value; + bool b = json_spirit::read_string(s, value); + ASSERT_FALSE(b); +} diff --git a/src/json/json_spirit_reader_template.h b/src/json/json_spirit_reader_template.h index 47e3c1ca8..2e3d21e90 100644 --- a/src/json/json_spirit_reader_template.h +++ b/src/json/json_spirit_reader_template.h @@ -308,6 +308,12 @@ namespace json_spirit } else { + // ZCASH: Prevent potential stack overflow by setting a limit on the number of nested compound elements + if (stack_.size() > 128) { + throw "too many nested elements"; + } + // ENDZCASH + stack_.push_back( current_p_ ); Array_or_obj new_array_or_obj; // avoid copy by building new array or object in place From 1f882153b69d05c7fd0890981b7f6fff172c4795 Mon Sep 17 00:00:00 2001 From: Simon Date: Sat, 27 Aug 2016 09:14:25 -0700 Subject: [PATCH 2/2] Throw a domain error as json_spirit is a third-party library. --- src/json/json_spirit_reader_template.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/json/json_spirit_reader_template.h b/src/json/json_spirit_reader_template.h index 2e3d21e90..33aa0958e 100644 --- a/src/json/json_spirit_reader_template.h +++ b/src/json/json_spirit_reader_template.h @@ -310,7 +310,7 @@ namespace json_spirit { // ZCASH: Prevent potential stack overflow by setting a limit on the number of nested compound elements if (stack_.size() > 128) { - throw "too many nested elements"; + throw std::domain_error("too many nested elements"); } // ENDZCASH