Skip to content

Commit

Permalink
Add advisory for rustc_serialize (#1140)
Browse files Browse the repository at this point in the history
  • Loading branch information
@5225225
5225225 authored Jan 21, 2022
1 parent 258329b commit 3e6d771
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions crates/rustc-serialize/RUSTSEC-0000-0000.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "rustc-serialize"
date = "2022-01-01"
categories = ["denial-of-service"]
keywords = ["stack overflow"]

[versions]
patched = []

[affected]
functions = { "rustc_serialize::json::Json::from_str" = ["*"] }
```

# Stack overflow in rustc_serialize when parsing deeply nested JSON

When parsing JSON using `json::Json::from_str`, there is no limit to the depth of the stack, therefore deeply nested objects can cause a stack overflow, which aborts the process.

Example code that triggers the vulnerability is

```rust
fn main() {
let _ = rustc_serialize::json::Json::from_str(&"[0,[".repeat(10000));
}
```

[serde](https://crates.io/crates/serde) is recommended as a replacement to rustc_serialize.

0 comments on commit 3e6d771

Please sign in to comment.