Merge pull request #4438

e350cc5a wallet2: fix duplicate output making it to the RPC (moneromooo-monero) bf9a0f4c epee: fix stack overflow on crafted input (moneromooo-monero) 45683ee0 epee: fix invalid memory write reading an array entry (moneromooo-monero)
author: Riccardo Spagni <ric@spagni.net> 2018-09-25 13:33:37 +0200
committer: Riccardo Spagni <ric@spagni.net> 2018-09-25 13:33:37 +0200
commit: f2eee1eb8c9f6271818b0b7ff943e72bcca0f192 (patch)
tree: 2503db486e9386f63d008ce9813baa7d0125e394 /contrib
parent: Merge pull request #4435 (diff)
parent: wallet2: fix duplicate output making it to the RPC (diff)
download: monero-f2eee1eb8c9f6271818b0b7ff943e72bcca0f192.tar.xz
2 files changed, 16 insertions, 5 deletions
diff --git a/contrib/epee/include/storages/portable_storage_from_bin.h b/contrib/epee/include/storages/portable_storage_from_bin.h
index 44a80cb21..f9cc22d27 100644
--- a/contrib/epee/include/storages/portable_storage_from_bin.h
+++ b/contrib/epee/include/storages/portable_storage_from_bin.h
@@ -59,6 +59,7 @@ namespace epee
       storage_entry load_storage_entry();
       void read(section& sec);
       void read(std::string& str);
+      void read(array_entry &ae);
     private:
       struct recursuion_limitation_guard
       {
@@ -114,6 +115,7 @@ namespace epee
     void throwable_buffer_reader::read(t_pod_type& pod_val)
     {
       RECURSION_LIMITATION();
+      static_assert(std::is_pod<t_pod_type>::value, "POD type expected");
       read(&pod_val, sizeof(pod_val));
     }
     
@@ -277,5 +279,11 @@ namespace epee
       m_ptr+=len;
       m_count -= len;
     }
+    inline
+    void throwable_buffer_reader::read(array_entry &ae)
+    {
+      RECURSION_LIMITATION();
+      CHECK_AND_ASSERT_THROW_MES(false, "Reading array entry is not supported");
+    }
   }
 }
diff --git a/contrib/epee/include/storages/portable_storage_from_json.h b/contrib/epee/include/storages/portable_storage_from_json.h
index 727f36552..5b2eafa9a 100644
--- a/contrib/epee/include/storages/portable_storage_from_json.h
+++ b/contrib/epee/include/storages/portable_storage_from_json.h
@@ -30,6 +30,8 @@
 #include "parserse_base_utils.h"
 #include "file_io_utils.h"
 
+#define EPEE_JSON_RECURSION_LIMIT_INTERNAL 100
+
 namespace epee
 {
   using namespace misc_utils::parse;
@@ -44,8 +46,9 @@ namespace epee
         ASSERT_MES_AND_THROW("json parse error");
       }*/
       template<class t_storage>
-      inline void run_handler(typename t_storage::hsection current_section, std::string::const_iterator& sec_buf_begin, std::string::const_iterator buf_end, t_storage& stg)
+      inline void run_handler(typename t_storage::hsection current_section, std::string::const_iterator& sec_buf_begin, std::string::const_iterator buf_end, t_storage& stg, unsigned int recursion)
       {
+        CHECK_AND_ASSERT_THROW_MES(recursion < EPEE_JSON_RECURSION_LIMIT_INTERNAL, "Wrong JSON data: recursion limitation (" << EPEE_JSON_RECURSION_LIMIT_INTERNAL << ") exceeded");
 
         std::string::const_iterator sub_element_start;
         std::string name;        
@@ -157,7 +160,7 @@ namespace epee
               //sub section here
               typename t_storage::hsection new_sec = stg.open_section(name, current_section, true);
               CHECK_AND_ASSERT_THROW_MES(new_sec, "Failed to insert new section in json: " << std::string(it, buf_end));
-              run_handler(new_sec, it, buf_end, stg);
+              run_handler(new_sec, it, buf_end, stg, recursion + 1);
               state = match_state_wonder_after_value;
             }else if(*it == '[')
             {//array of something
@@ -186,7 +189,7 @@ namespace epee
               typename t_storage::hsection new_sec = nullptr;
               h_array = stg.insert_first_section(name, new_sec, current_section);
               CHECK_AND_ASSERT_THROW_MES(h_array&&new_sec, "failed to create new section");
-              run_handler(new_sec, it, buf_end, stg);
+              run_handler(new_sec, it, buf_end, stg, recursion + 1);
               state = match_state_array_after_value;
               array_md = array_mode_sections;
             }else if(*it == '"')
@@ -260,7 +263,7 @@ namespace epee
                 typename t_storage::hsection new_sec = NULL;
                 bool res = stg.insert_next_section(h_array, new_sec);
                 CHECK_AND_ASSERT_THROW_MES(res&&new_sec, "failed to insert next section");
-                run_handler(new_sec, it, buf_end, stg);
+                run_handler(new_sec, it, buf_end, stg, recursion + 1);
                 state = match_state_array_after_value;
               }else CHECK_ISSPACE();
               break;
@@ -362,7 +365,7 @@ namespace epee
         std::string::const_iterator sec_buf_begin  = buff_json.begin();
         try
         {
-          run_handler(nullptr, sec_buf_begin, buff_json.end(), stg);
+          run_handler(nullptr, sec_buf_begin, buff_json.end(), stg, 0);
           return true;
         }
         catch(const std::exception& ex)
author	Riccardo Spagni <ric@spagni.net>	2018-09-25 13:33:37 +0200
committer	Riccardo Spagni <ric@spagni.net>	2018-09-25 13:33:37 +0200
commit	f2eee1eb8c9f6271818b0b7ff943e72bcca0f192 (patch)
tree	2503db486e9386f63d008ce9813baa7d0125e394 /contrib
parent	Merge pull request #4435 (diff)
parent	wallet2: fix duplicate output making it to the RPC (diff)
download	monero-f2eee1eb8c9f6271818b0b7ff943e72bcca0f192.tar.xz