With CVE-2016-4425 patch json_loads now fails to parse such json: {"x":{ "a":[ ["aaaa1"], ["aaaa2"], ["aaaa3"], ... few thousand items ... ] }} You limited "breadth", not "depth".
Hi Yuri, Thanks for the report. The reference to this PR has been attached to the original upstream issue at https://github.com/akheron/jansson/issues/282. Let's see what they want to do about this regression.
Reported as https://github.com/akheron/jansson/issues/286 per their request. Yuri, can you upload a copy of the test case either here or to the upstream issue?
Created attachment 170278 [details] jansson-test.c Please build the attached C testcase with this command: > cc -o jansson-test -I /usr/local/include -L/usr/local/lib -ljansson jansson-test.c
A commit references this bug: Author: vanilla Date: Mon May 16 02:25:41 UTC 2016 New revision: 415303 URL: https://svnweb.freebsd.org/changeset/ports/415303 Log: Fix issue to parse large flat json files. PR: 209492 Reported by: yuri@rawbw.com Changes: head/devel/jansson/Makefile head/devel/jansson/files/patch-CVE-2016-4425
I think I missing some part of upstream, after review whole patches, It should be ok now, please try it again, thanks.
A commit references this bug: Author: junovitch Date: Fri May 20 01:39:07 UTC 2016 New revision: 415538 URL: https://svnweb.freebsd.org/changeset/ports/415538 Log: MFH: r415303 Fix issue to parse large flat json files. PR: 209492 Reported by: yuri@rawbw.com Approved by: ports-secteam (with hat) Changes: _U branches/2016Q2/ branches/2016Q2/devel/jansson/Makefile branches/2016Q2/devel/jansson/files/patch-CVE-2016-4425
Set merge-quarterly+ appropriately. The original fix and fix for the regression it caused both should be in quarterly.
This works. Thanks!