New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing -1 to json_tokener_parse_ex is possibly unsafe #315
Comments
Side note, the comment has a bit of a bug:
should be
|
The testcase should be verified with the latest json-c. I'm just saying that I don't think the bug is in that particular place. (Also, the "fix" in gdal is just a work-around.) |
I tested your json sample "crash-4f47d9a74b38cc49fdf3c27602fe6a8e68d8352b.txt" (which I renamed "malformed.json") with the following c program: #include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include "json_tokener.h"
int main()
{
char jsonstr[256];
int fd = open("malformed.json", O_RDONLY);
if (fd < 0) {
perror("open failed");
return 1;
}
ssize_t r = read(fd, jsonstr, sizeof(jsonstr) - 1);
if (r <= 0) {
perror("read failed");
return 1;
}
printf("json file size: %zd\n", r);
jsonstr[r] = '\0';
close(fd);
struct json_object *obj;
struct json_tokener *tok = json_tokener_new();
obj = json_tokener_parse_ex(tok, jsonstr, -1);
enum json_tokener_error tokerr = json_tokener_get_error(tok);
printf("json obj = %p ; tokener error = %s\n", obj, json_tokener_error_desc(tokerr));
json_tokener_free(tok);
return 0;
} It was Valgrind clean and ASAN clean. I tested with both current master and json-c-0.12.1. I did the (more tricky) ASAN test roughly as follows, on ubuntu-16.04 x86_64:
output:
|
GDAL uses and old copy of json-c and it was crashing by passing "" and -1. The crash is only useful via gdal |
Since you say it's only a problem with old versions of json-c I'm closing this bug. |
I think it's reasonable to close this. GDAL is now immune to this as it always specifies the size now and anyone who wants to follow up can find this bug entry. |
json_tokener_parse_ex(tok, str, -1);
appears to be unsafe. e.g. in json_tokener_parse_verbose().There are accesses to str without length checks in the function.
So a len of -1 and a str of "" may crash. I'm not 100% sure of this as I'm working with an older copy of json-c.
crash-4f47d9a74b38cc49fdf3c27602fe6a8e68d8352b.txt
This triggered an ASAN heap-buffer-overflow in gdal fixed in this commit:
https://trac.osgeo.org/gdal/changeset/38107
The text was updated successfully, but these errors were encountered: