From 77e4743df008c0f29c0803da563652b745f83b7f Mon Sep 17 00:00:00 2001
From: Roland Kossel <roko@opoura.com>
Date: Wed, 3 Jun 2026 08:50:55 +0200
Subject: [PATCH] limit numeric token length during parsing

Reject overly long numeric tokens before allocating temporary number
strings to avoid unbounded allocations for malformed or malicious JSON
input.
---
 cJSON.c | 4 ++++
 cJSON.h | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/cJSON.c b/cJSON.c
index 88c2d95b3..77a0e0e0d 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -351,6 +351,10 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu
             default:
                 goto loop_end;
         }
+        if (number_string_length > CJSON_NUMBER_LENGTH_LIMIT)
+        {
+            return false;
+        }
     }
 loop_end:
     /* malloc for temporary buffer, add 1 for '\0' */
diff --git a/cJSON.h b/cJSON.h
index cab5feb42..46a538258 100644
--- a/cJSON.h
+++ b/cJSON.h
@@ -99,6 +99,10 @@ then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJ
 #define cJSON_IsReference 256
 #define cJSON_StringIsConst 512
 
+#ifndef CJSON_NUMBER_LENGTH_LIMIT
+#define CJSON_NUMBER_LENGTH_LIMIT 512
+#endif
+
 /* The cJSON structure: */
 typedef struct cJSON
 {