$OpenBSD: patch-src_load_c,v 1.1 2016/06/28 12:48:30 jasper Exp $

Security fix for CVE-2016-4425
https://github.com/akheron/jansson/issues/282

--- src/load.c.orig	Thu Oct  2 06:59:26 2014
+++ src/load.c	Tue Jun 28 14:44:09 2016
@@ -61,6 +61,7 @@ typedef struct {
 typedef struct {
     stream_t stream;
     strbuffer_t saved_text;
+    size_t depth;
     int token;
     union {
         struct {
@@ -800,6 +801,12 @@ static json_t *parse_value(lex_t *lex, size_t flags, j
     json_t *json;
     double value;
 
+    lex->depth++;
+    if(lex->depth > JSON_PARSER_MAX_DEPTH) {
+        error_set(error, lex, "maximum parsing depth reached");
+        return NULL;
+    }
+
     switch(lex->token) {
         case TOKEN_STRING: {
             const char *value = lex->value.string.val;
@@ -870,12 +877,15 @@ static json_t *parse_value(lex_t *lex, size_t flags, j
     if(!json)
         return NULL;
 
+    lex->depth--;
     return json;
 }
 
 static json_t *parse_json(lex_t *lex, size_t flags, json_error_t *error)
 {
     json_t *result;
+
+    lex->depth = 0;
 
     lex_scan(lex, error);
     if(!(flags & JSON_DECODE_ANY)) {
