-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug for cJSON_InsertItemInArray function #802
Comments
This appears to have CVE-2023-50471 assigned. |
Hi @Du4t Currently I tested with Besides this, I don't think it's a good practice to request a CVE without this problem being confirmed. |
The only way I can reproduce this problem is to pass a corrupted cJSON *item = cJSON_CreateString("item");
cJSON *array = cJSON_CreateArray();
cJSON *temp1 = cJSON_CreateString("item1");
cJSON *temp2 = cJSON_CreateString("item2");
add_item_to_array(array, temp1);
add_item_to_array(array, temp2);
// manually set the prev to be NULL to make a corrupted array
temp2->prev = NULL;
// SEGV as after_inserted->prev is NULL, which is passed to newitem->prev, making newitem->prev->next a NULL pointer using
cJSON_InsertItemInArray(array, 1, item); Is this the correct way to reproduce this problem? |
Add NULL checkings in cJSON_InsertItemInArray and cJSON_SetValuestring Fixing DaveGamble#802(CVE-2023-50471) and DaveGamble#803(CVE-2023-50472)
Hi, Is there any plan to backport the fix to 1.7.16 version. |
Description
If the the newitem passed in cJSON_InsertItemInArray dont have
prev
, thenewitem->prev
will be null. The null pointer dereference will cause SEGV in function cJSON_InsertItemInArray cJSON.c:2287Version
Related Code
Impact
Potentially causing DoS
The text was updated successfully, but these errors were encountered: