Add a configurable maximum parse depth for the blink JSON parser.

third_party/WebKit/Source/platform/json/JSONParser.cpp

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "platform/json/JSONParser.h"
 
 #include "platform/Decimal.h"
 #include "platform/json/JSONValues.h"
 #include "wtf/text/StringBuilder.h"
 #include "wtf/text/StringToNumber.h"
 
 namespace blink {
 
 namespace {
 
-const int stackLimit = 1000;
+const int kMaxStackLimit = 1000;
 
 enum Token {
   ObjectBegin,
   ObjectEnd,
   ArrayBegin,
   ArrayEnd,
   StringLiteral,
   Number,
   BoolTrue,
   BoolFalse,
@@ skipping 356 matching lines @@
   // Validate constructed utf16 string.
   if (output->utf8(StrictUTF8Conversion).isNull())
     return false;
   return true;
 }
 
 template <typename CharType>
 std::unique_ptr<JSONValue> buildValue(const CharType* start,
                                       const CharType* end,
                                       const CharType** valueTokenEnd,
-                                      int depth) {
-  if (depth > stackLimit)
+                                      int maxDepth) {
+  if (maxDepth == 0)
     return nullptr;
 
   std::unique_ptr<JSONValue> result;
   const CharType* tokenStart;
   const CharType* tokenEnd;
   Token token = parseToken(start, end, &tokenStart, &tokenEnd);
   switch (token) {
     case InvalidToken:
       return nullptr;
     case NullToken:
@@ skipping 26 matching lines @@
         return nullptr;
       result = JSONString::create(value);
       break;
     }
     case ArrayBegin: {
       std::unique_ptr<JSONArray> array = JSONArray::create();
       start = tokenEnd;
       token = parseToken(start, end, &tokenStart, &tokenEnd);
       while (token != ArrayEnd) {
         std::unique_ptr<JSONValue> arrayNode =
-            buildValue(start, end, &tokenEnd, depth + 1);
+            buildValue(start, end, &tokenEnd, maxDepth - 1);
         if (!arrayNode)
           return nullptr;
         array->pushValue(std::move(arrayNode));
 
         // After a list value, we expect a comma or the end of the list.
         start = tokenEnd;
         token = parseToken(start, end, &tokenStart, &tokenEnd);
         if (token == ListSeparator) {
           start = tokenEnd;
           token = parseToken(start, end, &tokenStart, &tokenEnd);
@@ skipping 20 matching lines @@
         if (!decodeString(tokenStart + 1, tokenEnd - 1, &key))
           return nullptr;
         start = tokenEnd;
 
         token = parseToken(start, end, &tokenStart, &tokenEnd);
         if (token != ObjectPairSeparator)
           return nullptr;
         start = tokenEnd;
 
         std::unique_ptr<JSONValue> value =
-            buildValue(start, end, &tokenEnd, depth + 1);
+            buildValue(start, end, &tokenEnd, maxDepth - 1);
         if (!value)
           return nullptr;
         object->setValue(key, std::move(value));
         start = tokenEnd;
 
         // After a key/value pair, we expect a comma or the end of the
         // object.
         token = parseToken(start, end, &tokenStart, &tokenEnd);
         if (token == ListSeparator) {
           start = tokenEnd;
@@ skipping 15 matching lines @@
       // We got a token that's not a value.
       return nullptr;
   }
 
   skipWhitespaceAndComments(tokenEnd, end, valueTokenEnd);
   return result;
 }
 
 template <typename CharType>
 std::unique_ptr<JSONValue> parseJSONInternal(const CharType* start,
-                                             unsigned length) {
+                                             unsigned length,
+                                             int maxDepth) {
   const CharType* end = start + length;
   const CharType* tokenEnd;
-  std::unique_ptr<JSONValue> value = buildValue(start, end, &tokenEnd, 0);
+  std::unique_ptr<JSONValue> value =
+      buildValue(start, end, &tokenEnd, maxDepth);
   if (!value || tokenEnd != end)
     return nullptr;
   return value;
 }
 
 }  // anonymous namespace
 
 std::unique_ptr<JSONValue> parseJSON(const String& json) {
+  return parseJSON(json, kMaxStackLimit);
+}
+
+std::unique_ptr<JSONValue> parseJSON(const String& json, int maxDepth) {
   if (json.isEmpty())
     return nullptr;
+  if (maxDepth < 0)
+    maxDepth = 0;
+  if (maxDepth > kMaxStackLimit)
+    maxDepth = kMaxStackLimit;
   if (json.is8Bit())
-    return parseJSONInternal(json.characters8(), json.length());
-  return parseJSONInternal(json.characters16(), json.length());
+    return parseJSONInternal(json.characters8(), json.length(), maxDepth);
+  return parseJSONInternal(json.characters16(), json.length(), maxDepth);
 }
 
 }  // namespace blink