Added a nesting limit to the parser to prevent stack overflow that could be a security issue

include/ArduinoJson/Internals/JsonParser.hpp

@@ -13,7 +13,8 @@ namespace Internals {
 
 class JsonParser {
  public:
-  JsonParser(JsonBuffer *buffer, char *json) : _buffer(buffer), _ptr(json) {}
+  JsonParser(JsonBuffer *buffer, char *json, uint8_t nestingLimit)
+      : _buffer(buffer), _ptr(json), _nestingLimit(nestingLimit) {}
 
   JsonArray &parseArray();
   JsonObject &parseObject();
@@ -33,6 +34,7 @@ class JsonParser {
 
   JsonBuffer *_buffer;
   char *_ptr;
+  uint8_t _nestingLimit;
 };
 }
 }

include/ArduinoJson/JsonBuffer.hpp

@@ -19,9 +19,11 @@ class JsonBuffer {
   JsonArray &createArray();
   JsonObject &createObject();
 
-  JsonArray &parseArray(char *json);
-  JsonObject &parseObject(char *json);
+  JsonArray &parseArray(char *json, uint8_t nestingLimit = DEFAULT_LIMIT);
+  JsonObject &parseObject(char *json, uint8_t nestingLimit = DEFAULT_LIMIT);
 
   virtual void *alloc(size_t size) = 0;
+
+  static const uint8_t DEFAULT_LIMIT = 10;
 };
 }