Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cJSON buffer overflow with odd formatted JSON string #30

Closed
marcograss opened this issue Oct 1, 2016 · 3 comments

Comments

Projects
None yet
3 participants
@marcograss
Copy link

commented Oct 1, 2016

Hi,

I would like to report a buffer overflow in cJSON, you can test this PoC with a ODD string

#include <stdio.h>
#include <stdint.h>
#include <fcntl.h>
#include "cJSON.h"

static const char *my_json = "\"000000000000000000\\";

int main(int argc, const char * argv[]) {
    cJSON * root = cJSON_Parse(my_json);
    char * rendered = cJSON_Print(root);
    printf("%s\n", rendered);
    return 0;
}

building it with ASAN will trigger a out of bound on the input string, which it can be problematic since in lot of use cases the JSON input to applications using cJSON is untrusted.

Thanks

Marco

==72479==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001000138d5 at pc 0x0001000062fb bp 0x7fff5fbff2a0 sp 0x7fff5fbff298
READ of size 1 at 0x0001000138d5 thread T0
#0 0x1000062fa in parse_string cJSON.c:198
#1 0x100001a01 in parse_value cJSON.c:366
#2 0x1000015bb in cJSON_ParseWithOpts cJSON.c:334
#3 0x100001dfa in cJSON_Parse cJSON.c:343
#4 0x10000e481 in main main.c:17
#5 0x7fff834bb5ac in start (libdyld.dylib+0x35ac)

0x0001000138d5 is located 0 bytes to the right of global variable '' defined in '/Users/marco/Downloads/cjsontest/cjsontest/main.c:14:30' (0x1000138c0) of size 21
'' is ascii string '"000000000000000000'
SUMMARY: AddressSanitizer: global-buffer-overflow cJSON.c:198 in parse_string
Shadow bytes around the buggy address:
0x1000200026c0: 02 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x1000200026d0: 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x1000200026e0: 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x1000200026f0: 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x100020002700: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x100020002710: 04 f9 f9 f9 f9 f9 f9 f9 00 00[05]f9 f9 f9 f9 f9
0x100020002720: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x100020002730: 06 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x100020002740: 05 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x100020002750: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x100020002760: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==72479==ABORTING

@FSMaxB FSMaxB added the bug label Oct 2, 2016

@FSMaxB

This comment has been minimized.

Copy link
Collaborator

commented Oct 2, 2016

I can confirm this. Looking into it right now.

FSMaxB added a commit that referenced this issue Oct 2, 2016

@FSMaxB

This comment has been minimized.

Copy link
Collaborator

commented Oct 2, 2016

Fixed via 94df772

@FSMaxB FSMaxB closed this Oct 2, 2016

@FSMaxB FSMaxB referenced this issue Oct 2, 2016

Merged

Reformatting code #29

bmah888 added a commit to esnet/iperf that referenced this issue Oct 5, 2016

bmah888 added a commit to esnet/iperf that referenced this issue Oct 5, 2016

Fix a buffer overflow in upstream cJSON.
This is DaveGamble/cJSON#30, and fixes issue #466.

Signed-off-by: Bruce A. Mah <bmah@es.net>

bmah888 added a commit to esnet/iperf that referenced this issue Oct 5, 2016

Fix a buffer overflow in upstream cJSON.
This is DaveGamble/cJSON#30, and fixes issue #466.

Signed-off-by: Bruce A. Mah <bmah@es.net>
@fgeek

This comment has been minimized.

Copy link

commented Nov 7, 2016

@FSMaxB FSMaxB added the security label Nov 7, 2016

FSMaxB added a commit that referenced this issue May 1, 2017

Squashed 'tests/json-patch-tests/' changes from 716417e..5405313
5405313 Add tests for replacing the root document (#30)

git-subtree-dir: tests/json-patch-tests
git-subtree-split: 54053131a31241ecccfffdc79753ff169aa9763c

Floessie added a commit to Beep6581/RawTherapee that referenced this issue Mar 27, 2018

Bump cJSON to 1.7.5
Should fix CVE-2016-4303 and DaveGamble/cJSON#30.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.