patch 9.2.0236: stack-overflow with deeply nested data in json_encode/decode()

mattn · chrisbra · commit abd2d7d4532c · 2026-03-23T21:42:04.000Z
Problem: stack-overflow with deeply nested data in json_encode/decode() (ZyX-I) Solution: Add depth limit check using 'maxfuncdepth' to json_encode_item() and json_decode_item() to avoid crash when encoding/decoding deeply nested lists, dicts, or JSON arrays/objects, fix typo in error name, add tests (Yasuhiro Matsumoto). fixes: #588 closes: #19808 Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/runtime/doc/options.txt b/runtime/doc/options.txt
@@ -1,4 +1,4 @@
-*options.txt*	For Vim version 9.2.  Last change: 2026 Mar 22
+*options.txt*	For Vim version 9.2.  Last change: 2026 Mar 23
 
 
 		  VIM REFERENCE MANUAL	  by Bram Moolenaar
@@ -6026,7 +6026,8 @@ A jump table for the options with a short description can be found at |Q_op|.
 	Increasing this limit above 200 also changes the maximum for Ex
 	command recursion, see |E169|.
 	See also |:function|.
-	Also used for maximum depth of callback functions.
+	Also used for maximum depth of callback functions and encoding and
+	decoding of deeply nested json data.
 
 						*'maxmapdepth'* *'mmd'* *E223*
 'maxmapdepth' 'mmd'	number	(default 1000)
diff --git a/src/errors.h b/src/errors.h
@@ -312,7 +312,7 @@ EXTERN char e_function_name_required[]
 // E130 unused
 EXTERN char e_cannot_delete_function_str_it_is_in_use[]
 	INIT(= N_("E131: Cannot delete function %s: It is in use"));
-EXTERN char e_function_call_depth_is_higher_than_macfuncdepth[]
+EXTERN char e_function_call_depth_is_higher_than_maxfuncdepth[]
 	INIT(= N_("E132: Function call depth is higher than 'maxfuncdepth'"));
 EXTERN char e_return_not_inside_function[]
 	INIT(= N_("E133: :return not inside a function"));
diff --git a/src/json.c b/src/json.c
@@ -18,7 +18,7 @@
 
 #if defined(FEAT_EVAL)
 
-static int json_encode_item(garray_T *gap, typval_T *val, int copyID, int options);
+static int json_encode_item(garray_T *gap, typval_T *val, int copyID, int options, int depth);
 
 /*
  * Encode "val" into a JSON format string.
@@ -28,7 +28,7 @@ static int json_encode_item(garray_T *gap, typval_T *val, int copyID, int option
     static int
 json_encode_gap(garray_T *gap, typval_T *val, int options)
 {
-    if (json_encode_item(gap, val, get_copyID(), options) == FAIL)
+    if (json_encode_item(gap, val, get_copyID(), options, 0) == FAIL)
     {
 	ga_clear(gap);
 	gap->ga_data = vim_strsave((char_u *)"");
@@ -268,7 +268,7 @@ is_simple_key(char_u *key)
  * Return FAIL or OK.
  */
     static int
-json_encode_item(garray_T *gap, typval_T *val, int copyID, int options)
+json_encode_item(garray_T *gap, typval_T *val, int copyID, int options, int depth)
 {
     char_u	numbuf[NUMBUFLEN];
     char_u	*res;
@@ -278,6 +278,12 @@ json_encode_item(garray_T *gap, typval_T *val, int copyID, int options)
     dict_T	*d;
     int		i;
 
+    if (depth > p_mfd)
+    {
+	emsg(_(e_function_call_depth_is_higher_than_maxfuncdepth));
+	return FAIL;
+    }
+
     switch (val->v_type)
     {
 	case VAR_BOOL:
@@ -365,7 +371,8 @@ json_encode_item(garray_T *gap, typval_T *val, int copyID, int options)
 		    for (li = l->lv_first; li != NULL && !got_int; )
 		    {
 			if (json_encode_item(gap, &li->li_tv, copyID,
-						   options & JSON_JS) == FAIL)
+						   options & JSON_JS,
+						   depth + 1) == FAIL)
 			    return FAIL;
 			if ((options & JSON_JS)
 				&& li->li_next == NULL
@@ -401,7 +408,8 @@ json_encode_item(garray_T *gap, typval_T *val, int copyID, int options)
 		    {
 			typval_T	*t_item = TUPLE_ITEM(tuple, i);
 			if (json_encode_item(gap, t_item, copyID,
-						   options & JSON_JS) == FAIL)
+						   options & JSON_JS,
+						   depth + 1) == FAIL)
 			    return FAIL;
 
 			if ((options & JSON_JS)
@@ -452,7 +460,8 @@ json_encode_item(garray_T *gap, typval_T *val, int copyID, int options)
 				write_string(gap, hi->hi_key);
 			    ga_append(gap, ':');
 			    if (json_encode_item(gap, &dict_lookup(hi)->di_tv,
-				      copyID, options | JSON_NO_NONE) == FAIL)
+				      copyID, options | JSON_NO_NONE,
+				      depth + 1) == FAIL)
 				return FAIL;
 			}
 		    ga_append(gap, '}');
@@ -807,6 +816,12 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 			retval = FAIL;
 			break;
 		    }
+		    if (stack.ga_len >= p_mfd)
+		    {
+			emsg(_(e_function_call_depth_is_higher_than_maxfuncdepth));
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
@@ -838,6 +853,12 @@ json_decode_item(js_read_T *reader, typval_T *res, int options)
 			retval = FAIL;
 			break;
 		    }
+		    if (stack.ga_len >= p_mfd)
+		    {
+			emsg(_(e_function_call_depth_is_higher_than_maxfuncdepth));
+			retval = FAIL;
+			break;
+		    }
 		    if (ga_grow(&stack, 1) == FAIL)
 		    {
 			retval = FAIL;
diff --git a/src/json_test.c b/src/json_test.c
@@ -195,6 +195,7 @@ test_fill_called_on_string(void)
 main(void)
 {
 #if defined(FEAT_EVAL)
+    p_mfd = 100;
     test_decode_find_end();
     test_fill_called_on_find_end();
     test_fill_called_on_string();
diff --git a/src/testdir/test_json.vim b/src/testdir/test_json.vim
@@ -326,4 +326,34 @@ func Test_json_encode_long()
   call assert_equal(4000, len(json))
 endfunc
 
+func Test_json_encode_depth()
+  let save_mfd = &maxfuncdepth
+  set maxfuncdepth=10
+
+  " Create a deeply nested list that exceeds maxfuncdepth.
+  let l = []
+  let d = {}
+  for i in range(20)
+    let l = [l]
+    let d = {1: d}
+  endfor
+  call assert_fails('call json_encode(l)', 'E132:')
+  call assert_fails('call json_encode(d)', 'E132:')
+
+  let &maxfuncdepth = save_mfd
+endfunc
+
+func Test_json_decode_depth()
+  let save_mfd = &maxfuncdepth
+  set maxfuncdepth=10
+
+  let deep_json = repeat('[', 20) .. '1' .. repeat(']', 20)
+  call assert_fails('call json_decode(deep_json)', 'E132:')
+
+  let deep_json = repeat('{"a":', 20) .. '1' .. repeat('}', 20)
+  call assert_fails('call json_decode(deep_json)', 'E132:')
+
+  let &maxfuncdepth = save_mfd
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/userfunc.c b/src/userfunc.c
@@ -2910,7 +2910,7 @@ funcdepth_increment(void)
 {
     if (funcdepth >= p_mfd)
     {
-	emsg(_(e_function_call_depth_is_higher_than_macfuncdepth));
+	emsg(_(e_function_call_depth_is_higher_than_maxfuncdepth));
 	return FAIL;
     }
     ++funcdepth;
diff --git a/src/version.c b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    236,
 /**/
     235,
 /**/

Original file line number	Diff line number	Diff line change
`@@ -195,6 +195,7 @@ test_fill_called_on_string(void)`
`195`	`195`	`main(void)`
`196`	`196`	`{`
`197`	`197`	`#if defined(FEAT_EVAL)`
	`198`	`+ p_mfd = 100;`
`198`	`199`	`test_decode_find_end();`
`199`	`200`	`test_fill_called_on_find_end();`
`200`	`201`	`test_fill_called_on_string();`
Original file line number	Diff line number	Diff line change
`@@ -2910,7 +2910,7 @@ funcdepth_increment(void)`
`2910`	`2910`	`{`
`2911`	`2911`	`if (funcdepth >= p_mfd)`
`2912`	`2912`	`{`
`2913`		`- emsg(_(e_function_call_depth_is_higher_than_macfuncdepth));`
	`2913`	`+ emsg(_(e_function_call_depth_is_higher_than_maxfuncdepth));`
`2914`	`2914`	`return FAIL;`
`2915`	`2915`	`}`
`2916`	`2916`	`++funcdepth;`