fix DOM path realloc overflow

JeremiahM37 · JeremiahM37 · commit f5011e172e28 · 2026-03-31T04:49:51.000Z
diff --git a/src/json/centijson_dom.c b/src/json/centijson_dom.c
@@ -266,10 +266,14 @@ json_dom_process(JSON_TYPE type, const unsigned char* data, size_t data_size, vo
          * append their json_values. */
         if(dom_parser->path_size >= dom_parser->path_alloc) {
             JSON_VALUE** new_path;
-            size_t new_path_alloc = dom_parser->path_alloc * 2;
+            size_t new_path_alloc;
 
-            if(new_path_alloc == 0)
+            if(dom_parser->path_alloc == 0)
                 new_path_alloc = 32;
+            else if(dom_parser->path_alloc > SIZE_MAX / 2 / sizeof(JSON_VALUE*))
+                return JSON_ERR_OUTOFMEMORY;
+            else
+                new_path_alloc = dom_parser->path_alloc * 2;
             new_path = (JSON_VALUE**) realloc((void *)dom_parser->path, new_path_alloc * sizeof(JSON_VALUE*));
             if(new_path == NULL)
                 return JSON_ERR_OUTOFMEMORY;
