Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow (OSS-Fuzz issue 342) #405

Closed
nlohmann opened this issue Dec 29, 2016 · 1 comment
Closed

Heap-buffer-overflow (OSS-Fuzz issue 342) #405

nlohmann opened this issue Dec 29, 2016 · 1 comment
Assignees
@nlohmann
Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed kind: bug
Milestone
Release 2.0.10

Comments

@nlohmann
Copy link
Owner

nlohmann commented Dec 29, 2016
edited
Loading

The library is continuously fuzz tested by Google's OSS-Fuzz. Today, an error was reported:

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=5472665292767232

Project: json
Fuzzer: libFuzzer_json_fuzzer-parse_cbor
Fuzz target binary: fuzzer-parse_cbor
Job Type: libfuzzer_asan_json
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 5
Crash Address: 0x605000000225
Crash State:
std::__1::char_traits<char>::copy
std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<ch
std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<ch

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_json&range=201612280923:201612281110

Minimized Testcase (0.00 Kb): https://clusterfuzz-external.appspot.com/download/AMIfv94c2L_GoEKlUSWB2gQoiaX_veHtuUwFkXVKj88i3tOPk7AA6UqRMLo2aytGWyUVQsDJC3WmwF1NPhnPhJLd6c1VhHpMgsRQqisa0hzTpw0lHf6dVovkDu7cdOMTdG7XdpQ0-Qqa8SEaYqu0IhWbtXSkQZu9cao2hlsLOl48lA7EPEiETgDTZPJUgS_PEfqarTK1PETsxKjnJfjIUPdzXwL6lYdyM1VN1vlGIfWohnYFEE3xh608ggArcT54q0oTOcefgbgoH8v4KNxpNCyXtP2MsAs4mqO94cwpqQ7mW-G1irt1AvN6D4Yy8BK0hys7AmEr2oR3RMpsm2O8HScD_mFiP7Erjw9-dNxcYUYPSxYUrDKSGPivrs__ykA5DwthpV92cvba?testcase_id=5472665292767232

Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

SCARINESS: 18 (5-byte-read-heap-buffer-overflow)
#0 0x4bd9d4 in __asan_memcpy /src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:453
#1 0x5281f0 in std::__1::char_traits<char>::copy(char*, char const*, unsigned long) /usr/local/bin/../include/c++/v1/__string:220:50
#2 0x51c593 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__init(char const*, unsigned long) /usr/local/bin/../include/c++/v1/string:1534:5
#3 0x51c593 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::basic_string(char const*, unsigned long) /usr/local/bin/../include/c++/v1/string:1566
#4 0x51c593 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7290
#5 0x511d43 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /src/json/src/json.hpp:7734:16
@nlohmann
Copy link
Owner Author

First diagnosis: I forgot to check in check_length whether len + offset < size.

nlohmann added a commit that referenced this issue Dec 29, 2016
@nlohmann
🚑 fix for #405
871ceba
@nlohmann nlohmann self-assigned this Dec 29, 2016
@nlohmann nlohmann mentioned this issue Dec 29, 2016
Closed
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlohmann nlohmann

Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed kind: bug
Projects
None yet
Milestone
Release 2.0.10
Development

No branches or pull requests
1 participant
@nlohmann