Incorrect recursion depth check in JSONTokener in 1.5.2 causes it to fail for inputs with low recursion depth

Question

Incorrect recursion depth check in JSONTokener in 1.5.2 causes it to fail for inputs with low recursion depth

Closed this issue 2 years ago · 1 comments

19ae19f introduced a recursion check in JSONTokener, which however seems to be computing recursion depth incorrectly - it increments the counter on every new object or array, but never decrements it, essentially counting number of created non-primitive objects instead of recursion depth. This leads to an JSONException being thrown whenever total object count exceeds the limit (500 by default), regardless of recursion level.

new JSONObject().setRecursionDepthLimit(10);
JSONArray json = new JSONArray("[{}, {}, {}, {}, {}, {}, {}, {}, {}, {}, {a:10}]");

produces

Exception in thread "main" org.codehaus.jettison.json.JSONException: JSONTokener has reached recursion depth limit of 10
	at org.codehaus.jettison.json.JSONTokener.checkRecursionDepth(JSONTokener.java:440)
	at org.codehaus.jettison.json.JSONTokener.newJSONObject(JSONTokener.java:428)
	at org.codehaus.jettison.json.JSONTokener.nextValue(JSONTokener.java:339)
	at org.codehaus.jettison.json.JSONArray.<init>(JSONArray.java:145)
	at org.codehaus.jettison.json.JSONArray.<init>(JSONArray.java:175)

On a side note, the decision to make the setter for static JSONObject.RECURSION_DEPTH_LIMIT non-static seems rather unfortunate to me - see the code snippet for how awkward the use seems to be.

Answer 1 · 2022-12-05T11:47:49.000Z

Thanks for the report. I've merged a fix for this issue. I've also added a new static method setGlobalRecursionDepthLimit. Please re-open the issue if the issue is not fully fixed.