OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-31 08:40:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add advisory for rustc_serialize (#1140)

Browse Source
This commit is contained in:
5225225
2022-01-21 18:13:12 +00:00
committed by GitHub
parent 258329bae6
commit 3e6d7719d5
1 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
crates/rustc-serialize/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,28 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "rustc-serialize"
date = "2022-01-01"
categories = ["denial-of-service"]
keywords = ["stack overflow"]
[versions]
patched = []
[affected]
functions = { "rustc_serialize::json::Json::from_str" = ["*"] }
```
# Stack overflow in rustc_serialize when parsing deeply nested JSON
When parsing JSON using `json::Json::from_str`, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.
Example code that triggers the vulnerability is
```rust
fn main() {
let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}
```
[serde](https://crates.io/crates/serde) is recommended as a replacement to rustc_serialize.