hjson-lua stack exhaustion vulnerability

[scacaca]

Summary

A DOS vulnerability in hjson-lua caused by crafted objects that deeply nested structures.

Description

An issue was discovered in the latest hjson-lua allows attackers to cause a denial of service or other unspecified impacts via crafted objects that deeply nested structures.
there is a similar vulnerable,but hjson-lua has not similar fix logic.
The relevent code in file1
eg. local function parseObject, local function parseArray, local function _scanOnce

Patch

there is a similar fix logic
Limit parse depth.

Credit

The vulnerability was discovered by chaojie Xiong (FUDAN University, sslwork2023 @163.com)
mingda GUO(FUDANUniversity,22110240064@m.fudan.edu.cn)
zhang Lei(fUDAN University,zxl@fudan.edu.cn)
DongLai Zhu(FUDAN University)
YangchacLiu(FUDAN University,23210860056@m.fudan.edu.cn)

[cryi]

Hi, thank you for reporting this issue.

Overall, this cannot rely solely on our library. The user should perform some level of input validation on their side—we cannot predict whether they intend to parse input of arbitrary length or not.

That said, based on your suggestion, I have added a default maximum depth limit of 1000. The user can override this by passing the max_depth option to the decode/parse function. I hope this provides a sufficient fix.