New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap Overflow in json_parse_string() #92
Comments
|
Thanks for these bugs - working through them at present! |
sheredom
added a commit
that referenced
this issue
Nov 14, 2022
sheredom
added a commit
that referenced
this issue
Nov 14, 2022
sheredom
added a commit
that referenced
this issue
Nov 14, 2022
|
Very quick response, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Heap Overflow in json_parse_string()
In
json_parse_string(), there is a heap out-of-bound write. The bug can be triggered with an invocation ofjson_parse_ex()with specific flags combination. The root cause of the vulnerability is when copy fromsrctodata, the length ofdata(state.data_size) is not taken consideration of. Here is the output of Google ASAN when the vulnerability is triggerred:And the backtrace info from gdb:
The input to trigger this bug is attached. The first 8 bytes are the flags for
json_parse_ex()and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.Version: latest commit (bdcf2e1)
Also, you can always use the code below to reproduce the vulnerabilities I reported(and I won't attach it in each report for simplicity:
clang fuzz.c -o san -O0 -g -fsanitize=address,undefinedcrash-input.zip
The text was updated successfully, but these errors were encountered: