1 files changed, 40 insertions, 25 deletions

diff --git a/src/lib/merchant_api_get_templates.c b/src/lib/merchant_api_get_templates.c
index 98f2e304..f1f973b5 100644
--- a/src/lib/merchant_api_get_templates.c
+++ b/src/lib/merchant_api_get_templates.c
@@ -32,6 +32,12 @@
 
 
 /**
+ * Maximum number of templates we return.
+ */
+#define MAX_TEMPLATES 1024
+
+
+/**
  * Handle for a GET /templates operation.
  */
 struct TALER_MERCHANT_TemplatesGetHandle
@@ -77,33 +83,42 @@ parse_templates (const json_t *ia,
                  struct TALER_MERCHANT_TemplatesGetResponse *tgr,
                  struct TALER_MERCHANT_TemplatesGetHandle *tgh)
 {
-  unsigned int tmpl_len = json_array_size (ia);
-  struct TALER_MERCHANT_TemplateEntry tmpl[GNUNET_NZL (tmpl_len)];
-  size_t index;
-  json_t *value;
-
-  json_array_foreach (ia, index, value) {
-    struct TALER_MERCHANT_TemplateEntry *ie = &tmpl[index];
-    struct GNUNET_JSON_Specification spec[] = {
-      GNUNET_JSON_spec_string ("template_id",
-                               &ie->template_id),
-      GNUNET_JSON_spec_end ()
-    };
-
-    if (GNUNET_OK !=
-        GNUNET_JSON_parse (value,
-                           spec,
-                           NULL, NULL))
-    {
-      GNUNET_break_op (0);
-      return GNUNET_SYSERR;
+  unsigned int tmpl_len = (unsigned int) json_array_size (ia);
+
+  if ( (json_array_size (ia) != (size_t)  tmpl_len) ||
+       (tmpl_len > MAX_TEMPLATES) )
+  {
+    GNUNET_break (0);
+    return GNUNET_SYSERR;
+  }
+  {
+    struct TALER_MERCHANT_TemplateEntry tmpl[GNUNET_NZL (tmpl_len)];
+    size_t index;
+    json_t *value;
+
+    json_array_foreach (ia, index, value) {
+      struct TALER_MERCHANT_TemplateEntry *ie = &tmpl[index];
+      struct GNUNET_JSON_Specification spec[] = {
+        GNUNET_JSON_spec_string ("template_id",
+                                 &ie->template_id),
+        GNUNET_JSON_spec_end ()
+      };
+
+      if (GNUNET_OK !=
+          GNUNET_JSON_parse (value,
+                             spec,
+                             NULL, NULL))
+      {
+        GNUNET_break_op (0);
+        return GNUNET_SYSERR;
+      }
     }
+    tgr->details.ok.templates_length = tmpl_len;
+    tgr->details.ok.templates = tmpl;
+    tgh->cb (tgh->cb_cls,
+             tgr);
+    tgh->cb = NULL; /* just to be sure */
   }
-  tgr->details.ok.templates_length = tmpl_len;
-  tgr->details.ok.templates = tmpl;
-  tgh->cb (tgh->cb_cls,
-           tgr);
-  tgh->cb = NULL; /* just to be sure */
   return GNUNET_OK;
 }