May panic due to too large capacity

maciejhirsz / json-rust

JSON implementation in Rust

Apache License 2.0

563 stars 63 forks source link

May panic due to too large capacity #193

Open StevenJiang1110 opened 3 years ago

StevenJiang1110 commented 3 years ago

If we provide a capacity too large, the program may crash. The code to replay the crash is as below.

let capacity = 673957684733028;
let _ = json::object::Object::with_capacity(capacity);

I run the code on my x86-64 machine, ubuntu18.04, and the error report is

I think it's better to restrict the capacity and return a Result instead of letting it crash alone, especially on x64 machine, where the length of usize is 64bits. The above is found by afl.rs. Thanks a lot.

StevenJiang1110 commented 3 years ago

Another similar overflow panic issue is about json::parse(). If I pass a very long str, it may crash due to overflow. I put the replay file at https://github.com/StevenJiang1110/afl_rust_crashes/tree/main/json/replay_json53-1. I think it's better to restrict the input string len. The above is found by afl.rs. Thanks a lot.