Commit 84a54c5c authored by jgruber's avatar jgruber Committed by Commit Bot

[json] Handle stack overflows in JSON.parse

It's possible to build circular objects through the reviver function in
JSON.parse. Recursion needs to check for stack overflows and throw as
needed.

BUG=chromium:729671

Change-Id: I52ccd9ed9fea5829810879f8dd8207043fa6d910
Reviewed-on: https://chromium-review.googlesource.com/525812
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: 's avatarCamillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45752}
parent 337bb36e
......@@ -80,6 +80,8 @@ MaybeHandle<Object> JsonParseInternalizer::InternalizeJsonProperty(
bool JsonParseInternalizer::RecurseAndApply(Handle<JSReceiver> holder,
Handle<String> name) {
STACK_CHECK(isolate_, false);
Handle<Object> result;
ASSIGN_RETURN_ON_EXCEPTION_VALUE(
isolate_, result, InternalizeJsonProperty(holder, name), false);
......
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
var o = { 0: 11, 1: 9};
assertThrows(() => JSON.parse('[0,0]', function() { this[1] = o; }), RangeError);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment