-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SIGABRT - process aborted #176
Comments
What version of yajl-ruby are you using? |
latest available on rubygems, |
This has been assigned CVE-2017-16516 |
yajl-ruby embeds a patched copy of yajl itself. I was able to reproduce this on my machine issue on the yajl 1.x branch, but curiously only if I enabled debug symbols 🤔 I'm running macOS 10.13.1 and the latest Xcode developer tools. You should be able to reproduce it by cloning yajl locally, checking out the 1.x branch then building the library like so:
From there you'll need to build a small C program that links against the library and reads the bad input you specified in this issue. I'll continue to debug this to try and figure out a fix, but in the meantime I think we should get an issue opened over on the yajl repo itself. What do you think? |
I put up the test program I was using here. |
I was actually able to reproduce this on yajl master as well 😞 Still digging but it seems like it might be that there's no validation that the character following a surrogate pair is in the expected escaped format. |
The smallest reproduction case is |
If a valid surrogate character escape is found, but the following byte sequence isn't a valid unicode escape sequence, insert our replacement character '?' as we would any other place we saw invalid characters while unescaping. Fixes #176
a8ca8f4 seems to address the issue |
I ran the new release against the two test cases, and it's looking good. Thanks for the quick turnaround @brianmario 👍 |
Of course! Though next time (but hopefully there is no "next time" haha) let's make sure to disclose vulnerabilities privately first 😉 |
@brianmario didn't notice your details were on your profile, but ok. |
Oh ok no worries, glad we were able to get it fixed so quickly 😄 |
No upstream changelog, but seems to include security fixes CVE-2017-16516 and others: brianmario/yajl-ruby#176 brianmario/yajl-ruby#178
Good job |
PoC:
File passed as input:
{"e":{"\uD800\\DC00":"a"}}
Output:
With this input:
Output:
The text was updated successfully, but these errors were encountered: