Limit nesting depth to 1000 and make it configurable.

README.md

@@ -389,6 +389,10 @@ cJSON does not officially support any `double` implementations other than IEE754
 
 The maximum length of a floating point literal that cJSON supports is currently 63 characters.
 
+#### Deep Nesting Of Arrays And Objects
+
+cJSON doesn't support arrays and objects that are nested too deeply because this would result in a stack overflow. To prevent this cJSON limits the depth to `CJSON_NESTING_LIMIT` which is 1000 by default but can be changed at compile time.
+
 #### Thread Safety
 
 In general cJSON is **not thread safe**.

cJSON.c

@@ -202,6 +202,7 @@ typedef struct
     const unsigned char *content;
     size_t length;
     size_t offset;
+    size_t depth; /* How deeply nested (in arrays/objects) is the input at the current offset. */
 } parse_buffer;
 
 /* check if the given size is left to read in a given parse buffer (starting with 1) */
@@ -956,7 +957,7 @@ static parse_buffer *buffer_skip_whitespace(parse_buffer * const buffer)
 /* Parse an object - create a new root, and populate. */
 CJSON_PUBLIC(cJSON *) cJSON_ParseWithOpts(const char *value, const char **return_parse_end, cJSON_bool require_null_terminated)
 {
-    parse_buffer buffer = { 0, 0, 0 };
+    parse_buffer buffer = { 0, 0, 0, 0 };
     cJSON *item = NULL;
 
     /* reset error position */
@@ -1296,6 +1297,12 @@ static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buf
     cJSON *head = NULL; /* head of the linked list */
     cJSON *current_item = NULL;
 
+    if (input_buffer->depth >= CJSON_NESTING_LIMIT)
+    {
+        return false; /* to deeply nested */
+    }
+    input_buffer->depth++;
+
     if (buffer_at_offset(input_buffer)[0] != '[')
     {
         /* not an array */
@@ -1360,6 +1367,8 @@ static cJSON_bool parse_array(cJSON * const item, parse_buffer * const input_buf
     }
 
 success:
+    input_buffer->depth--;
+
     item->type = cJSON_Array;
     item->child = head;
 
@@ -1442,6 +1451,12 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
     cJSON *head = NULL; /* linked list head */
     cJSON *current_item = NULL;
 
+    if (input_buffer->depth >= CJSON_NESTING_LIMIT)
+    {
+        return false; /* to deeply nested */
+    }
+    input_buffer->depth++;
+
     if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '{'))
     {
         goto fail; /* not an object */
@@ -1522,6 +1537,8 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
     }
 
 success:
+    input_buffer->depth--;
+
     item->type = cJSON_Object;
     item->child = head;
 

cJSON.h

@@ -123,6 +123,12 @@ then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJ
 #endif
 #endif
 
+/* Limits how deeply nested arrays/objects can be before cJSON rejects to parse them.
+ * This is to prevent stack overflows. */
+#ifndef CJSON_NESTING_LIMIT
+#define CJSON_NESTING_LIMIT 1000
+#endif
+
 /* returns the version of cJSON as a string */
 CJSON_PUBLIC(const char*) cJSON_Version(void);
 

tests/misc_tests.c

@@ -183,6 +183,20 @@ static void typecheck_functions_should_check_type(void)
     TEST_ASSERT_TRUE(cJSON_IsRaw(item));
 }
 
+static void cjson_should_not_parse_to_deeply_nested_jsons(void)
+{
+    char deep_json[CJSON_NESTING_LIMIT + 1];
+    size_t position = 0;
+
+    for (position = 0; position < sizeof(deep_json); position++)
+    {
+        deep_json[position] = '[';
+    }
+    deep_json[sizeof(deep_json) - 1] = '\0';
+
+    TEST_ASSERT_NULL_MESSAGE(cJSON_Parse(deep_json), "To deep JSONs should not be parsed.");
+}
+
 int main(void)
 {
     UNITY_BEGIN();
@@ -192,6 +206,7 @@ int main(void)
     RUN_TEST(cjson_get_object_item_should_get_object_items);
     RUN_TEST(cjson_get_object_item_case_sensitive_should_get_object_items);
     RUN_TEST(typecheck_functions_should_check_type);
+    RUN_TEST(cjson_should_not_parse_to_deeply_nested_jsons);
 
     return UNITY_END();
 }

tests/parse_array.c

@@ -44,10 +44,9 @@ static void assert_is_array(cJSON *array_item)
 
 static void assert_not_array(const char *json)
 {
-    parse_buffer buffer;
+    parse_buffer buffer = { 0, 0, 0, 0 };
     buffer.content = (const unsigned char*)json;
     buffer.length = strlen(json) + sizeof("");
-    buffer.offset = 0;
 
     TEST_ASSERT_FALSE(parse_array(item, &buffer, &global_hooks));
     assert_is_invalid(item);
@@ -55,10 +54,9 @@ static void assert_not_array(const char *json)
 
 static void assert_parse_array(const char *json)
 {
-    parse_buffer buffer;
+    parse_buffer buffer = { 0, 0, 0, 0 };
     buffer.content = (const unsigned char*)json;
     buffer.length = strlen(json) + sizeof("");
-    buffer.offset = 0;
 
     TEST_ASSERT_TRUE(parse_array(item, &buffer, &global_hooks));
     assert_is_array(item);

tests/parse_number.c

@@ -45,10 +45,9 @@ static void assert_is_number(cJSON *number_item)
 
 static void assert_parse_number(const char *string, int integer, double real)
 {
-    parse_buffer buffer;
+    parse_buffer buffer = { 0, 0, 0, 0 };
     buffer.content = (const unsigned char*)string;
     buffer.length = strlen(string) + sizeof("");
-    buffer.offset = 0;
 
     TEST_ASSERT_TRUE(parse_number(item, &buffer));
     assert_is_number(item);

tests/parse_object.c

@@ -52,10 +52,9 @@ static void assert_is_child(cJSON *child_item, const char *name, int type)
 
 static void assert_not_object(const char *json)
 {
-    parse_buffer parsebuffer;
+    parse_buffer parsebuffer = { 0, 0, 0, 0 };
     parsebuffer.content = (const unsigned char*)json;
     parsebuffer.length = strlen(json) + sizeof("");
-    parsebuffer.offset = 0;
 
     TEST_ASSERT_FALSE(parse_object(item, &parsebuffer, &global_hooks));
     assert_is_invalid(item);
@@ -64,10 +63,9 @@ static void assert_not_object(const char *json)
 
 static void assert_parse_object(const char *json)
 {
-    parse_buffer parsebuffer;
+    parse_buffer parsebuffer = { 0, 0, 0, 0 };
     parsebuffer.content = (const unsigned char*)json;
     parsebuffer.length = strlen(json) + sizeof("");
-    parsebuffer.offset = 0;
 
     TEST_ASSERT_TRUE(parse_object(item, &parsebuffer, &global_hooks));
     assert_is_object(item);

tests/parse_string.c

@@ -45,10 +45,9 @@ static void assert_is_string(cJSON *string_item)
 
 static void assert_parse_string(const char *string, const char *expected)
 {
-    parse_buffer buffer;
+    parse_buffer buffer = { 0, 0, 0, 0 };
     buffer.content = (const unsigned char*)string;
     buffer.length = strlen(string) + sizeof("");
-    buffer.offset = 0;
 
     TEST_ASSERT_TRUE_MESSAGE(parse_string(item, &buffer, &global_hooks), "Couldn't parse string.");
     assert_is_string(item);
@@ -59,10 +58,9 @@ static void assert_parse_string(const char *string, const char *expected)
 
 static void assert_not_parse_string(const char * const string)
 {
-    parse_buffer buffer;
+    parse_buffer buffer = { 0, 0, 0, 0 };
     buffer.content = (const unsigned char*)string;
     buffer.length = strlen(string) + sizeof("");
-    buffer.offset = 0;
 
     TEST_ASSERT_FALSE_MESSAGE(parse_string(item, &buffer, &global_hooks), "Malformed string should not be accepted.");
     assert_is_invalid(item);

tests/parse_value.c

@@ -43,10 +43,9 @@ static void assert_is_value(cJSON *value_item, int type)
 
 static void assert_parse_value(const char *string, int type)
 {
-    parse_buffer buffer;
+    parse_buffer buffer = { 0, 0, 0, 0 };
     buffer.content = (const unsigned char*) string;
     buffer.length = strlen(string) + sizeof("");
-    buffer.offset = 0;
     TEST_ASSERT_TRUE(parse_value(item, &buffer, &global_hooks));
     assert_is_value(item, type);
 }

tests/print_array.c

@@ -34,10 +34,9 @@ static void assert_print_array(const char * const expected, const char * const i
     printbuffer formatted_buffer;
     printbuffer unformatted_buffer;
 
-    parse_buffer parsebuffer;
+    parse_buffer parsebuffer = { 0, 0, 0, 0 };
     parsebuffer.content = (const unsigned char*)input;
     parsebuffer.length = strlen(input) + sizeof("");
-    parsebuffer.offset = 0;
 
     /* buffer for formatted printing */
     formatted_buffer.buffer = printed_formatted;

tests/print_object.c

@@ -33,12 +33,11 @@ static void assert_print_object(const char * const expected, const char * const
 
     printbuffer formatted_buffer;
     printbuffer unformatted_buffer;
-    parse_buffer parsebuffer;
+    parse_buffer parsebuffer = { 0, 0, 0, 0 };
 
     /* buffer for parsing */
     parsebuffer.content = (const unsigned char*)input;
     parsebuffer.length = strlen(input) + sizeof("");
-    parsebuffer.offset = 0;
 
     /* buffer for formatted printing */
     formatted_buffer.buffer = printed_formatted;

tests/print_value.c

@@ -33,7 +33,7 @@ static void assert_print_value(const char *input)
     unsigned char printed[1024];
     cJSON item[1];
     printbuffer buffer;
-    parse_buffer parsebuffer;
+    parse_buffer parsebuffer = { 0, 0, 0, 0 };
     buffer.buffer = printed;
     buffer.length = sizeof(printed);
     buffer.offset = 0;
@@ -41,7 +41,6 @@ static void assert_print_value(const char *input)
 
     parsebuffer.content = (const unsigned char*)input;
     parsebuffer.length = strlen(input) + sizeof("");
-    parsebuffer.offset = 0;
 
     memset(item, 0, sizeof(item));