From 356575d0e0d1cea8f00a8b63bca5a9a3f55fe681 Mon Sep 17 00:00:00 2001
From: Eric Fischer <enf@pobox.com>
Date: Mon, 28 Mar 2016 12:25:33 -0700
Subject: [PATCH] Check for JSON array and hash overflows

---
 jsonpull.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/jsonpull.c b/jsonpull.c
index 869e913..4147b4f 100644
--- a/jsonpull.c
+++ b/jsonpull.c
@@ -100,7 +100,7 @@ static inline int read_wrap(json_pull *j) {
 	return c;
 }
 
-#define SIZE_FOR(i) (((i) + 31) & ~31)
+#define SIZE_FOR(i) ((size_t)(((i) + 31) & ~31))
 
 static json_object *fabricate_object(json_object *parent, json_type type) {
 	json_object *o = malloc(sizeof(struct json_object));
@@ -125,6 +125,10 @@ static json_object *add_object(json_pull *j, json_type type) {
 		if (c->type == JSON_ARRAY) {
 			if (c->expect == JSON_ITEM) {
 				if (SIZE_FOR(c->length + 1) != SIZE_FOR(c->length)) {
+					if (SIZE_FOR(c->length + 1) < SIZE_FOR(c->length)) {
+						fprintf(stderr, "Array size overflow\n");
+						exit(EXIT_FAILURE);
+					}
 					c->array = realloc(c->array, SIZE_FOR(c->length + 1) * sizeof(json_object *));
 					if (c->array == NULL) {
 						perror("Out of memory");
@@ -151,6 +155,10 @@ static json_object *add_object(json_pull *j, json_type type) {
 				}
 
 				if (SIZE_FOR(c->length + 1) != SIZE_FOR(c->length)) {
+					if (SIZE_FOR(c->length + 1) < SIZE_FOR(c->length)) {
+						fprintf(stderr, "Hash size overflow\n");
+						exit(EXIT_FAILURE);
+					}
 					c->keys = realloc(c->keys, SIZE_FOR(c->length + 1) * sizeof(json_object *));
 					c->values = realloc(c->values, SIZE_FOR(c->length + 1) * sizeof(json_object *));
 					if (c->keys == NULL || c->values == NULL) {