OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2026-01-06 11:39:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3338fcfb59cea5fcd7d2a4e7fe24cbc7cb778003
advisory-db/crates/rustc-serialize/RUSTSEC-2022-0004.md
Alexis Mousset 84c633df9c Update aliases from GHSA OSV export (#1693)
2023-06-13 15:10:24 +02:00

788 B
Raw Blame History 

[advisory]
id = "RUSTSEC-2022-0004"
package = "rustc-serialize"
date = "2022-01-01"
categories = ["denial-of-service"]
keywords = ["stack overflow"]
aliases = ["GHSA-2226-4v3c-cff8"]

[versions]
patched = []

[affected]
functions = { "rustc_serialize::json::Json::from_str" = ["*"] }

Stack overflow in rustc_serialize when parsing deeply nested JSON

When parsing JSON using json::Json::from_str, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.

Example code that triggers the vulnerability is

fn main() {
    let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}

serde is recommended as a replacement to rustc_serialize.