In my previous bug report on parsing in the Steem blockchain, a user asked if custom JSON was also vulnerable which inspired me to take a closer look.

The JSON parsing code in the “FC” library used by Steem did have a check for nesting, but it was not adequate:

/** the purpose of this check is to verify that we will not get a stack overflow in the recursive descent parser */ void check_string_depth( const string& utf8_str ) { int32_t open_object = 0; int32_t open_array = 0; for( auto c : utf8_str ) { switch( c ) { case…


Modern security and correctness tools, made usable.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store