harden JSON parser error handling and bounds checks

JeremiahM37 · JeremiahM37 · commit 58a77b9d93d1 · 2026-04-06T16:42:47.000Z
diff --git a/src/json/centijson_dom.c b/src/json/centijson_dom.c
@@ -266,10 +266,14 @@ json_dom_process(JSON_TYPE type, const unsigned char* data, size_t data_size, vo
          * append their json_values. */
         if(dom_parser->path_size >= dom_parser->path_alloc) {
             JSON_VALUE** new_path;
-            size_t new_path_alloc = dom_parser->path_alloc * 2;
+            size_t new_path_alloc;
 
-            if(new_path_alloc == 0)
+            if(dom_parser->path_alloc == 0)
                 new_path_alloc = 32;
+            else if(dom_parser->path_alloc > SIZE_MAX / 2 / sizeof(JSON_VALUE*))
+                return JSON_ERR_OUTOFMEMORY;
+            else
+                new_path_alloc = dom_parser->path_alloc * 2;
             new_path = (JSON_VALUE**) realloc((void *)dom_parser->path, new_path_alloc * sizeof(JSON_VALUE*));
             if(new_path == NULL)
                 return JSON_ERR_OUTOFMEMORY;
@@ -617,8 +621,14 @@ json_dom_dump_helper(
                     keys_size = json_value_dict_keys_ordered(node, keys, n);
                 else
                     keys_size = json_value_dict_keys_sorted(node, keys, n);
-                if (keys_size != n)
+                if (keys_size != n) {
+#ifdef WOLFSENTRY
+                    json_free(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), (void *)keys);
+#else
+                    free((void *)keys);
+#endif
                     return JSON_ERR_INTERNAL;
+                }
 
                 for(i = 0; i < n; i++) {
                     JSON_VALUE* json_value;
diff --git a/src/json/centijson_sax.c b/src/json/centijson_sax.c
@@ -857,10 +857,11 @@ json_feed(JSON_PARSER* parser, const unsigned char* input, size_t size)
     {
         /* Update parser->pos to point to the exact place. */
         while(parser->pos.offset < parser->config.max_total_len) {
+            ch = input[off];
+            off++;
             parser->pos.offset++;
             parser->pos.column_number++;
-            off++;
-            json_handle_new_line(parser, input[off]);
+            json_handle_new_line(parser, ch);
         }
 
         json_raise(parser, JSON_ERR_MAXTOTALLEN);
@@ -891,10 +892,15 @@ json_feed(JSON_PARSER* parser, const unsigned char* input, size_t size)
 
             if(parser->nesting_level >= parser->nesting_stack_size) {
                 unsigned char* new_nesting_stack;
-                size_t new_nesting_stack_size = parser->nesting_stack_size * 2;
+                size_t new_nesting_stack_size;
 
-                if(new_nesting_stack_size == 0)
+                if(parser->nesting_stack_size == 0)
                     new_nesting_stack_size = 32;
+                else if(parser->nesting_stack_size > SIZE_MAX / 2) {
+                    json_raise(parser, JSON_ERR_OUTOFMEMORY);
+                    break;
+                } else
+                    new_nesting_stack_size = parser->nesting_stack_size * 2;
                 new_nesting_stack = (unsigned char *)realloc(parser->nesting_stack, new_nesting_stack_size);
                 if(new_nesting_stack == NULL) {
                     json_raise(parser, JSON_ERR_OUTOFMEMORY);
diff --git a/src/json/centijson_value.c b/src/json/centijson_value.c
@@ -1794,15 +1794,19 @@ json_value_dict_clean(
             WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator),
 #endif
             &node->key);
-        if (ret < 0)
+        if (ret < 0) {
+            free((void *)stack);
             return ret;
+        }
         ret = json_value_fini(
 #ifdef WOLFSENTRY
             WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator),
 #endif
             &node->json_value);
-        if (ret < 0)
+        if (ret < 0) {
+            free((void *)stack);
             return ret;
+        }
         free(node);
 
         stack_size += json_value_dict_leftmost_path(stack + stack_size, right);
@@ -1928,6 +1932,8 @@ json_value_clone(WOLFSENTRY_CONTEXT_ARGS_IN_EX(struct wolfsentry_allocator *allo
                         break;
                     }
                     ret = json_value_clone(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), &src_dict_node->json_value, dest_node);
+                    if (ret < 0)
+                        break;
                     src_dict_node = src_dict_node->order_next;
                 }
             } else {
@@ -1954,8 +1960,6 @@ json_value_clone(WOLFSENTRY_CONTEXT_ARGS_IN_EX(struct wolfsentry_allocator *allo
                 }
 
                 free((void *)stack);
-
-                break;
             }
             if (ret < 0) {
                 int ret2 = json_value_fini(WOLFSENTRY_CONTEXT_ARGS_OUT_EX(allocator), clone);
