A OOM security issue was found in JSON-java

[Alex111998]

When I test the latest version(20231013) of JSON-java by CIFuzz，a OOM security issue was found, it caused when put a big number in JSONArray, may cause denial of service issues in applications via the follow code:

new org.json.JSONArray().put(1829517625, 1.0719845412539998E291);

[johnjaylward]

This is expected behavior. Don't do that.

[Madjosz]

JSON does not support the concept of "sparse arrays" as you would need an index => value mapping which effectively is a JSONObject then. You have to think about how your created object would be stringified: It would be [,,,(1829517624 commas in total),,, 1.0719845412539998E291] and you could already avoid parsing this. On the other hand your example can only be created directly from code so the 'security issue' can only be injected by the programmer deliberately and can be migitated by checks for the index to be in a sane range.