Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug for cJSON_InsertItemInArray function #802

Closed
Du4t opened this issue Dec 4, 2023 · 4 comments · Fixed by #810
Closed

bug for cJSON_InsertItemInArray function #802

Du4t opened this issue Dec 4, 2023 · 4 comments · Fixed by #810

Comments

@Du4t
Copy link

Du4t commented Dec 4, 2023

Description

If the the newitem passed in cJSON_InsertItemInArray dont have prev, the newitem->prevwill be null. The null pointer dereference will cause SEGV in function cJSON_InsertItemInArray cJSON.c:2287

Version

commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
Author: Alan Wang <wp_scut@163.com>
Date:   Wed Jul 5 11:22:19 2023 +0800

Related Code

CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem)
{
    cJSON *after_inserted = NULL;

    if (which < 0)
    {
        return false;
    }

    after_inserted = get_array_item(array, (size_t)which);
    if (after_inserted == NULL)
    {
        return add_item_to_array(array, newitem);
    }

    newitem->next = after_inserted;
    newitem->prev = after_inserted->prev;
    after_inserted->prev = newitem;
    if (after_inserted == array->child)
    {
        array->child = newitem;
    }
    else
    {
        newitem->prev->next = newitem; // <== here
    }
    return true;
}

Impact

Potentially causing DoS
@carnil
Copy link

carnil commented Dec 14, 2023

This appears to have CVE-2023-50471 assigned.

@PeterAlfredLee
Copy link
Contributor

Hi @Du4t
It will be appreciated if you can provide a POC.

Currently I tested with newitem->prev as NULL but I can not reproduce this problem.

Besides this, I don't think it's a good practice to request a CVE without this problem being confirmed.

@PeterAlfredLee
Copy link
Contributor

The only way I can reproduce this problem is to pass a corrupted array to cJSON_InsertItemInArray like this:

    cJSON *item = cJSON_CreateString("item");
    cJSON *array = cJSON_CreateArray();
    cJSON *temp1 = cJSON_CreateString("item1");
    cJSON *temp2 = cJSON_CreateString("item2");

    add_item_to_array(array, temp1);
    add_item_to_array(array, temp2);

    // manually set the prev to be NULL to make a corrupted array
    temp2->prev = NULL;

    // SEGV as after_inserted->prev is NULL, which is passed to newitem->prev, making newitem->prev->next a NULL pointer using
    cJSON_InsertItemInArray(array, 1, item);

Is this the correct way to reproduce this problem?

PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 15, 2023
@PeterAlfredLee
add NULL checkings
9759352 
Add NULL checkings in cJSON_InsertItemInArray and cJSON_SetValuestring
Fixing DaveGamble#802(CVE-2023-50471) and DaveGamble#803(CVE-2023-50472)
@PeterAlfredLee PeterAlfredLee mentioned this issue Dec 15, 2023
Merged
PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 16, 2023
@PeterAlfredLee
add NULL check in cJSON_InsertItemInArray
ada007a 
Fixes DaveGamble#802(CVE-2023-50471)
PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 16, 2023
@PeterAlfredLee
add NULL check in cJSON_InsertItemInArray
775c807 
Fixes DaveGamble#802(CVE-2023-50471)
PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 20, 2023
@PeterAlfredLee
fix null checks problems
3c7ebd5 
Fixes DaveGamble#802 and DaveGamble#803
PeterAlfredLee added a commit to PeterAlfredLee/cJSON that referenced this issue Dec 20, 2023
@PeterAlfredLee
fix error in null checkings
0140c48 
fixes DaveGamble#802 and DaveGamble#803
@PeterAlfredLee PeterAlfredLee mentioned this issue Dec 20, 2023
Merged
Alanscut pushed a commit that referenced this issue Dec 20, 2023
@PeterAlfredLee
fix error in null checkings (#810)
f66cbab 
fixes #802 and #803
@ArchanaWind
Copy link

Hi,

Is there any plan to backport the fix to 1.7.16 version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix error in null checkings PeterAlfredLee/cJSON
4 participants
@carnil @Du4t @PeterAlfredLee @ArchanaWind