Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Undeclared exceptions thrown by JSON.parse #3631

Closed
fmeum opened this issue Jan 29, 2021 · 3 comments
Closed

Undeclared exceptions thrown by JSON.parse #3631

fmeum opened this issue Jan 29, 2021 · 3 comments
Labels
Milestone

Comments

@fmeum
Copy link
Contributor

fmeum commented Jan 29, 2021

While fuzzing fastjson in version 1.2.75, I found 4 cases of undeclared exceptions (i.e., exceptions other than JSONException).
The crashes can be reproduced with the following standalone Java applications, which require fastjson-1.2.75.jar from https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.75/fastjson-1.2.75.jar in the classpath.

Issue 1: NumberFormatException

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash1 {
    public static void main(String[] args) {
        try {
            JSON.parse("{[-");
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 2: ClassCastException

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash2 {
    public static void main(String[] args) {
        try {
            JSON.parse("TreeSet[[]");
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 3: ArrayIndexOutOfBoundsException

import java.util.Base64;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash3 {
    public static String btoa(String base64) {
        return new String(Base64.getDecoder().decode(base64));
    }

    public static void main(String[] args) {
        try {
            JSON.parse(btoa("IltbezU6W3s2Ojg2Ojg4LDU6W3s2OgAAAA17eycAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7e3t7//97UERGLTIgQm8aNDU6W3s2Ojg4LDU6W3s2OgAAAA17NgEAAHt7//97UERGLTIgQm8aNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7ewFF//97UERGLTIgQmpkAAAAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0amQAAA17eyd7ewFF//97UERGLTIgQm8aNAAADXt7J3t7AUX//3tQREYtMiBCbxo0AAAAAA17eyd7////T/97UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0"));
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 4: ArrayIndexOutOfBoundsException

import java.util.Base64;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash4 {
    public static String btoa(String base64) {
        return new String(Base64.getDecoder().decode(base64));
    }

    public static void main(String[] args) {
        try {
            JSON.parse(btoa("WywsIiIMLCIAAAAMAAAgAAAAdWUgdAAAAA1ubHUlbDMyMjIABAAAADIyMjISMjNbW1ukHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHiBUZA17W3tbCTg0DQooIHRleHQuIEFuZCAgNDRUBDQ0LCwoLCwsLCwsKSwsLCwsLCwsLCwsLCwsnf8sLCwsLCwsMiwsLG51bA9sLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLBAsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwyLCwsLCwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHtbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHsnw4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWw1dLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW10AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW6Gknf8sLCwsLCwsLCwsLCwsWywsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksLCwsLCwsLCwsLCwsLJ3/LCwsLCwsLDIsLCxudWxsLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwsLCwsLCwoLCwsLCwsKSx07zV1bmRlZmluZW5kACwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1tboaSd/ywsLCwsLCwsLCwsLCxbLCwsLCwsLCwsLCwsLCwsLCwsLEEsPCwsLCx7W1tbW6Gknf8sLCwsLCwsLCwsLCwsLCwsLCgsLCwsLCwpLCwsLCwsLCwsLCwsLCyd/ywsLCwsLCwyLCwsbnVsbCwsKiwsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksdO+/vSwsLCwsMSwsLCwsLCwsLCxbW1tboaSd/xosLCwsLCwyLCwsLCwsLCwsLCws"));
        } catch (JSONException unused) {
            return;
        }
    }
}
@wenshao wenshao added this to the 1.2.76 milestone Jan 31, 2021
@Certseeds
Copy link
Contributor

@wenshao
Is there anyone had done something in this issue?
I am willing to solve it in a few months.

@fmeum
Copy link
Contributor Author

fmeum commented Mar 12, 2021

As the issues reported in this thread were found via fuzzing, I have drafted a PR that would set up fastjson for continuous fuzzing in OSS-Fuzz: google/oss-fuzz#5373

Let me know if you have any questions or concerns.

@fmeum
Copy link
Contributor Author

fmeum commented Mar 13, 2021

@wenshao Sorry, I didn't intend for google/oss-fuzz#5373 to be merged right away. If you want me to make any changes or revert the OSS-Fuzz integration entirely, please let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants