Daniel Garcia Moreno
00f03220b9
Add CVE-2025-67221.patch to fix write outsize of allocated memory on json dump (bsc#1257121, gh#ijl/orjson#637)
46 lines
1.6 KiB
Diff
46 lines
1.6 KiB
Diff
From e959d90ac722022b781b19f86e6ea9adaba8e383 Mon Sep 17 00:00:00 2001
|
|
From: Daniel Garcia Moreno <dani@danigm.net>
|
|
Date: Fri, 23 Jan 2026 20:22:23 +0100
|
|
Subject: [PATCH] formatter: reserve_minimum in end_ methods
|
|
|
|
In highly nested json objects it's possible to have a lot of consecutive
|
|
closing characters that are added by end_array and end_object. These
|
|
methods adds one byte without checking the buffer capacity, so it's
|
|
possible to try to write when there's no capacity.
|
|
|
|
This patch makes sure that the buffer has at least minimum space before
|
|
writing.
|
|
|
|
This is the upstream commit that removes this check: c369ea44820e2e0798f17f99a0dff65bec2186a9
|
|
```
|
|
$ git log -p c369ea44820e2e0798f17f99a0dff65bec2186a9 -- src/serialize/writer/formatter.rs
|
|
```
|
|
|
|
Fix https://github.com/ijl/orjson/issues/636
|
|
---
|
|
src/serialize/writer/formatter.rs | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
Index: orjson-3.10.15/src/serialize/writer/formatter.rs
|
|
===================================================================
|
|
--- orjson-3.10.15.orig/src/serialize/writer/formatter.rs
|
|
+++ orjson-3.10.15/src/serialize/writer/formatter.rs
|
|
@@ -202,7 +202,7 @@ pub trait Formatter {
|
|
where
|
|
W: ?Sized + io::Write + WriteExt,
|
|
{
|
|
- debug_assert_has_capacity!(writer);
|
|
+ reserve_minimum!(writer);
|
|
unsafe { writer.write_reserved_punctuation(b']').unwrap() };
|
|
Ok(())
|
|
}
|
|
@@ -244,7 +244,7 @@ pub trait Formatter {
|
|
where
|
|
W: ?Sized + io::Write + WriteExt,
|
|
{
|
|
- debug_assert_has_capacity!(writer);
|
|
+ reserve_minimum!(writer);
|
|
unsafe {
|
|
writer.write_reserved_punctuation(b'}').unwrap();
|
|
}
|