yhyu13
commented
4 months ago I am not maintainer, but just cameacross. what is the json file that leads to this infinite recursive? Reproducible?
Closed adoxalim closed 2 months ago
yhyu13
commented
4 months ago I am not maintainer, but just cameacross. what is the json file that leads to this infinite recursive? Reproducible?
adoxalim
commented
4 months ago The issue is reproducible, and while here is official page, it is good to share file and steps here:
clang++-18 -fsanitize = address target.cppstack overflow. (cat file.json | ./capitalize)memory, undefined, leak and thread sanitizers, and you will get similar results.The source of problem is ability of creating a new [inside another one without any limitation.
I am not pro to exploit it but, some skilled hand may convert it.
It was very easy to find this bug, it means some others could find also.
As now it will be visible to everyone, if it is dangerous, please do not be late to patch it.
The easiest patch can be limiatition the number of [ three's, or better idea.
pagict
commented
2 months ago I thought it would be a missing feature at first, and I tried to fix it with the idea like this: https://github.com/pagict/rapidjson/commit/50f75cdf45cf5c259110466eff7fe896c1cf850d
As I go further, I discovered that there already implemented a schema validator, you can define your validator to protect from this scenario. Alternatively, you can implement this stack-overflow-protector as a Handler, to avoid too much nested objects.
There is a stack overflow on rapidjson. I am sure about its exploitability so I will add only stack trace for now, If a project member say okay I will add PoC file too. Thank you! rapidjson-stack.txt