Overview
Comment: | Add depth limit for MessagePack |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
c0d8a3426cce307995c0b17bd6a8c2e9 |
User & Date: | js on 2017-05-13 23:27:40 |
Other Links: | manifest | tags |
Context
2017-05-14
| ||
00:11 | Small optimization for objc_storeStrong() check-in: 9d12f9759f user: js tags: trunk | |
2017-05-13
| ||
23:27 | Add depth limit for MessagePack check-in: c0d8a3426c user: js tags: trunk | |
22:38 | Reduce retain + autorelease check-in: 504e13cf00 user: js tags: trunk | |
Changes
Modified src/OFDataArray+MessagePackValue.h from [87bd9c3480] to [19398bebc1].
︙ | ︙ | |||
29 30 31 32 33 34 35 36 37 38 | @interface OFDataArray (MessagePackValue) /*! * @brief Parses the MessagePack representation and returns it as an object. * * @return The MessagePack representation as an object */ - (id)messagePackValue; @end OF_ASSUME_NONNULL_END | > > > > > > > > > | 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 | @interface OFDataArray (MessagePackValue) /*! * @brief Parses the MessagePack representation and returns it as an object. * * @return The MessagePack representation as an object */ - (id)messagePackValue; /*! * @brief Parses the MessagePack representation and returns it as an object. * * @param depthLimit The maximum depth the parser should accept (defaults to 32 * if not specified, 0 means no limit (insecure!)) * @return The MessagePack representation as an object */ - (id)messagePackValueWithDepthLimit: (size_t)depthLimit; @end OF_ASSUME_NONNULL_END |
Modified src/OFDataArray+MessagePackValue.m from [d21c98d61f] to [c085900a12].
︙ | ︙ | |||
25 26 27 28 29 30 31 | #import "OFDictionary.h" #import "OFMessagePackExtension.h" #import "OFInvalidFormatException.h" int _OFDataArray_MessagePackValue_reference; | | > | 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | #import "OFDictionary.h" #import "OFMessagePackExtension.h" #import "OFInvalidFormatException.h" int _OFDataArray_MessagePackValue_reference; static size_t parseObject(const uint8_t *buffer, size_t length, id *object, size_t depthLimit); static uint16_t readUInt16(const uint8_t *buffer) { return ((uint16_t)buffer[0] << 8) | buffer[1]; } |
︙ | ︙ | |||
50 51 52 53 54 55 56 | return ((uint64_t)buffer[0] << 56) | ((uint64_t)buffer[1] << 48) | ((uint64_t)buffer[2] << 40) | ((uint64_t)buffer[3] << 32) | ((uint64_t)buffer[4] << 24) | ((uint64_t)buffer[5] << 16) | ((uint64_t)buffer[6] << 8) | buffer[7]; } static size_t | | > > > > > > | > | > > > > > > | > | > | > | 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 | return ((uint64_t)buffer[0] << 56) | ((uint64_t)buffer[1] << 48) | ((uint64_t)buffer[2] << 40) | ((uint64_t)buffer[3] << 32) | ((uint64_t)buffer[4] << 24) | ((uint64_t)buffer[5] << 16) | ((uint64_t)buffer[6] << 8) | buffer[7]; } static size_t parseArray(const uint8_t *buffer, size_t length, id *object, size_t count, size_t depthLimit) { void *pool; size_t pos = 0; if (--depthLimit == 0) { *object = nil; return 0; } /* * Don't use capacity! For data and strings, this is safe, as we can * check if we still have enough bytes left. For an array however, we * can't know this, as every child can be more than one byte. */ *object = [OFMutableArray array]; for (size_t i = 0; i < count; i++) { id child; size_t childLength; pool = objc_autoreleasePoolPush(); childLength = parseObject(buffer + pos, length - pos, &child, depthLimit); if (childLength == 0 || child == nil) { objc_autoreleasePoolPop(pool); *object = nil; return 0; } pos += childLength; [*object addObject: child]; objc_autoreleasePoolPop(pool); } return pos; } static size_t parseTable(const uint8_t *buffer, size_t length, id *object, size_t count, size_t depthLimit) { void *pool; size_t pos = 0; if (--depthLimit == 0) { *object = nil; return 0; } /* * Don't use capacity! For data and strings, this is safe, as we can * check if we still have enough bytes left. For a dictionary however, * we can't know this, as every key / value can be more than one byte. */ *object = [OFMutableDictionary dictionary]; for (size_t i = 0; i < count; i++) { id key, value; size_t keyLength, valueLength; pool = objc_autoreleasePoolPush(); keyLength = parseObject(buffer + pos, length - pos, &key, depthLimit); if (keyLength == 0 || key == nil) { objc_autoreleasePoolPop(pool); *object = nil; return 0; } pos += keyLength; valueLength = parseObject(buffer + pos, length - pos, &value, depthLimit); if (valueLength == 0 || value == nil) { objc_autoreleasePoolPop(pool); *object = nil; return 0; } pos += valueLength; [*object setObject: value forKey: key]; objc_autoreleasePoolPop(pool); } return pos; } static size_t parseObject(const uint8_t *buffer, size_t length, id *object, size_t depthLimit) { size_t count; int8_t type; OFDataArray *data; if (length < 1) goto error; |
︙ | ︙ | |||
169 170 171 172 173 174 175 | length: count]; return count + 1; } /* fixarray */ if ((buffer[0] & 0xF0) == 0x90) return parseArray(buffer + 1, length - 1, object, | | | | 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 | length: count]; return count + 1; } /* fixarray */ if ((buffer[0] & 0xF0) == 0x90) return parseArray(buffer + 1, length - 1, object, buffer[0] & 0xF, depthLimit) + 1; /* fixmap */ if ((buffer[0] & 0xF0) == 0x80) return parseTable(buffer + 1, length - 1, object, buffer[0] & 0xF, depthLimit) + 1; /* Prefix byte */ switch (*buffer) { /* Unsigned integers */ case 0xCC: /* uint8 */ if (length < 2) goto error; |
︙ | ︙ | |||
423 424 425 426 427 428 429 | extensionWithType: type data: data]; } @finally { [data release]; } return 4; | | | | 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 | extensionWithType: type data: data]; } @finally { [data release]; } return 4; case 0xD6: /* fixext 4 */ if (length < 6) goto error; type = buffer[1]; data = [[OFDataArray alloc] initWithCapacity: 4]; @try { [data addItems: buffer + 2 count: 4]; *object = [OFMessagePackExtension extensionWithType: type data: data]; } @finally { [data release]; } return 6; case 0xD7: /* fixext 8 */ if (length < 10) goto error; type = buffer[1]; data = [[OFDataArray alloc] initWithCapacity: 8]; @try { |
︙ | ︙ | |||
526 527 528 529 530 531 532 | return count + 5; /* Arrays */ case 0xDC: /* array 16 */ if (length < 3) goto error; return parseArray(buffer + 3, length - 3, object, | | | | | > > > > > > | > > > > | 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 | return count + 5; /* Arrays */ case 0xDC: /* array 16 */ if (length < 3) goto error; return parseArray(buffer + 3, length - 3, object, readUInt16(buffer + 1), depthLimit) + 3; case 0xDD: /* array 32 */ if (length < 5) goto error; return parseArray(buffer + 5, length - 5, object, readUInt32(buffer + 1), depthLimit) + 5; /* Maps */ case 0xDE: /* map 16 */ if (length < 3) goto error; return parseTable(buffer + 3, length - 3, object, readUInt16(buffer + 1), depthLimit) + 3; case 0xDF: /* map 32 */ if (length < 5) goto error; return parseTable(buffer + 5, length - 5, object, readUInt32(buffer + 1), depthLimit) + 5; } error: *object = nil; return 0; } @implementation OFDataArray (MessagePackValue) - (id)messagePackValue { return [self messagePackValueWithDepthLimit: 32]; } - (id)messagePackValueWithDepthLimit: (size_t)depthLimit { void *pool = objc_autoreleasePoolPush(); size_t count = [self count]; id object; if (parseObject([self items], count, &object, depthLimit) != count || object == nil) @throw [OFInvalidFormatException exception]; [object retain]; objc_autoreleasePoolPop(pool); return object; } @end |
Modified src/OFString+JSONValue.m from [a9f012805c] to [9ab88e7a0f].
︙ | ︙ | |||
30 31 32 33 34 35 36 | #import "OFNull.h" #import "OFInvalidJSONException.h" int _OFString_JSONValue_reference; static id nextObject(const char **pointer, const char *stop, size_t *line, | | | 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | #import "OFNull.h" #import "OFInvalidJSONException.h" int _OFString_JSONValue_reference; static id nextObject(const char **pointer, const char *stop, size_t *line, size_t depthLimit); static void skipWhitespaces(const char **pointer, const char *stop, size_t *line) { while (*pointer < stop && (**pointer == ' ' || **pointer == '\t' || **pointer == '\r' || **pointer == '\n')) { if (**pointer == '\n') |
︙ | ︙ | |||
386 387 388 389 390 391 392 | * reach stop. */ return nil; } static inline OFMutableArray * parseArray(const char **pointer, const char *stop, size_t *line, | | | | 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 | * reach stop. */ return nil; } static inline OFMutableArray * parseArray(const char **pointer, const char *stop, size_t *line, size_t depthLimit) { OFMutableArray *array = [OFMutableArray array]; if (++(*pointer) >= stop) return nil; if (--depthLimit == 0) return nil; while (**pointer != ']') { id object; skipWhitespacesAndComments(pointer, stop, line); if (*pointer >= stop) |
︙ | ︙ | |||
416 417 418 419 420 421 422 | if (*pointer >= stop || **pointer != ']') return nil; break; } | | | 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 | if (*pointer >= stop || **pointer != ']') return nil; break; } object = nextObject(pointer, stop, line, depthLimit); if (object == nil) return nil; [array addObject: object]; skipWhitespacesAndComments(pointer, stop, line); if (*pointer >= stop) |
︙ | ︙ | |||
443 444 445 446 447 448 449 | (*pointer)++; return array; } static inline OFMutableDictionary * parseDictionary(const char **pointer, const char *stop, size_t *line, | | | | 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 | (*pointer)++; return array; } static inline OFMutableDictionary * parseDictionary(const char **pointer, const char *stop, size_t *line, size_t depthLimit) { OFMutableDictionary *dictionary = [OFMutableDictionary dictionary]; if (++(*pointer) >= stop) return nil; if (--depthLimit == 0) return nil; while (**pointer != '}') { id key, object; skipWhitespacesAndComments(pointer, stop, line); if (*pointer >= stop) |
︙ | ︙ | |||
482 483 484 485 486 487 488 | return nil; if ((**pointer >= 'a' && **pointer <= 'z') || (**pointer >= 'A' && **pointer <= 'Z') || **pointer == '_' || **pointer == '$' || **pointer == '\\') key = parseIdentifier(pointer, stop); else | | < | | 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 | return nil; if ((**pointer >= 'a' && **pointer <= 'z') || (**pointer >= 'A' && **pointer <= 'Z') || **pointer == '_' || **pointer == '$' || **pointer == '\\') key = parseIdentifier(pointer, stop); else key = nextObject(pointer, stop, line, depthLimit); if (key == nil) return nil; skipWhitespacesAndComments(pointer, stop, line); if (*pointer + 1 >= stop || **pointer != ':') return nil; (*pointer)++; object = nextObject(pointer, stop, line, depthLimit); if (object == nil) return nil; [dictionary setObject: object forKey: key]; skipWhitespacesAndComments(pointer, stop, line); |
︙ | ︙ | |||
571 572 573 574 575 576 577 | } return number; } static id nextObject(const char **pointer, const char *stop, size_t *line, | | | | | 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 | } return number; } static id nextObject(const char **pointer, const char *stop, size_t *line, size_t depthLimit) { skipWhitespacesAndComments(pointer, stop, line); if (*pointer >= stop) return nil; switch (**pointer) { case '"': case '\'': return parseString(pointer, stop, line); case '[': return parseArray(pointer, stop, line, depthLimit); case '{': return parseDictionary(pointer, stop, line, depthLimit); case 't': if (*pointer + 3 >= stop) return nil; if (memcmp(*pointer, "true", 4) != 0) return nil; |
︙ | ︙ | |||
650 651 652 653 654 655 656 | { void *pool = objc_autoreleasePoolPush(); const char *pointer = [self UTF8String]; const char *stop = pointer + [self UTF8StringLength]; id object; size_t line = 1; | | | 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 | { void *pool = objc_autoreleasePoolPush(); const char *pointer = [self UTF8String]; const char *stop = pointer + [self UTF8StringLength]; id object; size_t line = 1; object = nextObject(&pointer, stop, &line, depthLimit); skipWhitespacesAndComments(&pointer, stop, &line); if (pointer < stop || object == nil) @throw [OFInvalidJSONException exceptionWithString: self line: line]; [object retain]; objc_autoreleasePoolPop(pool); return [object autorelease]; } @end |
Modified tests/OFJSONTests.m from [0d2731c6ad] to [e1f8244382].
︙ | ︙ | |||
64 65 66 67 68 69 70 71 72 73 74 | [@"{" JSONValue]) EXPECT_EXCEPTION(@"-[JSONValue] #3", OFInvalidJSONException, [@"]" JSONValue]) EXPECT_EXCEPTION(@"-[JSONValue] #4", OFInvalidJSONException, [@"bar" JSONValue]) EXPECT_EXCEPTION(@"-[JSONValue] #5", OFInvalidJSONException, [@"[\"a\" \"b\"]" JSONValue]) [pool drain]; } @end | > > > > > > > > > > > > > > > > > > > > > > > > | 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | [@"{" JSONValue]) EXPECT_EXCEPTION(@"-[JSONValue] #3", OFInvalidJSONException, [@"]" JSONValue]) EXPECT_EXCEPTION(@"-[JSONValue] #4", OFInvalidJSONException, [@"bar" JSONValue]) EXPECT_EXCEPTION(@"-[JSONValue] #5", OFInvalidJSONException, [@"[\"a\" \"b\"]" JSONValue]) TEST(@"-[JSONValue] #6", [[@"[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[{}]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" JSONValue] isEqual: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFArray arrayWithObject: [OFDictionary dictionary]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]) EXPECT_EXCEPTION(@"-[JSONValue] #7", OFInvalidJSONException, [@"[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[{}]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]" JSONValue]) [pool drain]; } @end |