Found a stack overflow in json_prettify when fed deeply nested JSON. Shouldn't be too hard to reproduce.
What's happening
json_prettify calls json_walk internally, which calls json_parse_value and json_parse_array — those two call each other recursively with no depth cap at all. With a deeply nested array you can get 190+ stack frames before it falls over.
Affected Function: json_prettify → json_walk → json_parse_array / json_parse_value
Source Location: frozen.c:311, frozen.c:356
Crash Input:
[[[[[[[[[[[[[[[[[[[[[[[[{"P":{"b":[[[[[[[[[[[[[[[[[[[{"id":1},...
Crashes with SIGILL (UBSan/ASan abort). Any untrusted JSON passed to json_prettify can trigger this.
Found a stack overflow in
json_prettifywhen fed deeply nested JSON. Shouldn't be too hard to reproduce.What's happening
json_prettifycallsjson_walkinternally, which callsjson_parse_valueandjson_parse_array— those two call each other recursively with no depth cap at all. With a deeply nested array you can get 190+ stack frames before it falls over.Affected Function: json_prettify → json_walk → json_parse_array / json_parse_value
Source Location: frozen.c:311, frozen.c:356
Crash Input:
[[[[[[[[[[[[[[[[[[[[[[[[{"P":{"b":[[[[[[[[[[[[[[[[[[[{"id":1},...
Crashes with SIGILL (UBSan/ASan abort). Any untrusted JSON passed to
json_prettifycan trigger this.