search

dvidelabs / flatcc

FlatBuffers Compiler and Library in C for C
Apache License 2.0
632 stars 180 forks source link

Crash on parsing unterminated JSON #223

Closed Geneo-5 closed 2 years ago

Geneo-5 commented 2 years ago

The following malicious "json" crash when call monster_parse_json function:

{"color":"Red"�"weapons2:[ #,"inventory":[0,1,2,3;4,5,,"color":"Red","weapons":[{"name"K,7,8,9:"Sw}rd","-amage":3},{"name":"Axapons":[{"ne"�damagE":4}},"equipp,4,526,7,8,Q],"coed_type":"Weame":"Axe","dame":5}}

00000000  7b 22 63 6f 6c 6f 72 22  3a 22 52 65 64 22 ac 22  |{"color":"Red"."|
00000010  77 65 61 70 6f 6e 73 32  3a 5b 20 23 2c 22 69 6e  |weapons2:[ #,"in|
00000020  76 65 6e 74 6f 72 79 22  3a 5b 30 2c 31 2c 32 2c  |ventory":[0,1,2,|
00000030  33 3b 34 2c 35 2c 2c 22  63 6f 6c 6f 72 22 3a 22  |3;4,5,,"color":"|
00000040  52 65 64 22 2c 22 77 65  61 70 6f 6e 73 22 3a 5b  |Red","weapons":[|
00000050  7b 22 6e 61 6d 65 22 4b  2c 37 2c 38 2c 39 3a 22  |{"name"K,7,8,9:"|
00000060  53 77 7d 72 64 22 2c 22  2d 61 6d 61 67 65 22 3a  |Sw}rd","-amage":|
00000070  33 7d 2c 7b 22 6e 61 6d  65 22 3a 22 41 78 61 70  |3},{"name":"Axap|
00000080  6f 6e 73 22 3a 5b 7b 22  6e 65 22 80 00 64 61 6d  |ons":[{"ne"..dam|
00000090  61 67 45 22 3a 34 7d 7d  2c 22 65 71 75 69 70 70  |agE":4}},"equipp|
000000a0  2c 34 2c 35 32 36 2c 37  2c 38 2c 51 5d 2c 22 63  |,4,526,7,8,Q],"c|
000000b0  6f 65 64 5f 74 79 70 65  22 3a 22 57 65 61 6d 65  |oed_type":"Weame|
000000c0  22 3a 22 41 78 65 22 2c  22 64 61 6d 00 00 65 22  |":"Axe","dam..e"|
000000d0  3a 35 7d 7d                                       |:5}}|

The cause is in flatcc_json_parser_match_constant (json_parser.c) line 492, the call of flatcc_json_parser_space return 0 as new buffer address.

It's possibel to fix it by replace call from: buf = flatcc_json_parser_space(ctx, buf + 1, 0); to: buf = flatcc_json_parser_space(ctx, buf + 1, end);

But I don't understand why only here the function is call with a value of 0 how pointer to the end

mikkelfj commented 2 years ago

I think that must be a leftover from a very early version of the parser.

mikkelfj commented 2 years ago

I fixed it on master as you suggested. Note that unlike your previous report, this is not just for malicous input, any accidentially unterminated JSON could trigger this. Please check that it works for you.

Geneo-5 commented 2 years ago

It's ok.