search

lloyd / yajl

A fast streaming JSON parsing library in C.
http://lloyd.github.com/yajl
ISC License
2.15k stars 435 forks source link

Uninitialized memory reads and out-of-bound in 1.0.12 #204

Open zeroinside opened 6 years ago

zeroinside commented 6 years ago

Hello. I've done some testing using american-fuzzy-loop. This tool found few serious bugs. valgrind output: ==85864== Invalid read of size 8 ==85864== at 0x4E3D172: yajl_buf_append (in /lib/libyajl.so.1) ==85864== by 0x4E3E0F0: yajl_gen_number (in /lib/libyajl.so.1) ==85864== by 0x401A40: reformat_number (input.c:25) ==85864== by 0x4E3CD93: yajl_do_parse (in /lib/libyajl.so.1) ==85864== by 0x4012C0: main (input.c:149) ==85864== Address 0x60540c2c8 is not stack'd, malloc'd or (recently) free'd ==85864== ==85864== ==85864== Process terminating with default action of signal 11 (SIGSEGV) ==85864== Access not within mapped region at address 0x60540C2C8 ==85864== at 0x4E3D172: yajl_buf_append (in /lib/libyajl.so.1) ==85864== by 0x4E3E0F0: yajl_gen_number (in /lib/libyajl.so.1) ==85864== by 0x401A40: reformat_number (input.c:25) ==85864== by 0x4E3CD93: yajl_do_parse (in /lib/libyajl.so.1) ==85864== by 0x4012C0: main (input.c:149) ==85864== If you believe this happened as a result of a stack ==85864== overflow in your program's main thread (unlikely but ==85864== possible), you can try to increase the size of the ==85864== main thread stack using the --main-stacksize= flag. ==85864== The main thread stack size used in this run was 8388608. --85864-- REDIR: 0x50c64f0 (libc.so.6:free) redirected to 0x4c2ed80 (free)

Example PoC: [[{} ,[[[{} ,[{} ,[[],[[[9],[9],[],[[[9],[[[[],[[9],[9],[[9],[[[[],[[9],[[[9],[[],[[[[],[[9 ,[{} ,[[],[[[9],[9],[],[[[9],[[[[[9],[[[[],[[9],[9],[7],[],[[[9],[[[[[9],[[[[],[[9],[[[9],[[],[[[[],[[9],[9],[],[[[9],[[[[[9],[[[[],[[],[[9],[[[[],[[9],[[],[],[]],[[]],[],[],[[9],[[],[],[[],[[],9],[],[[[9],[[[[[9],[],[9],[],[[[9],[[[[[9],[[[[],[[9],[[[[],[[9],[[],[],[]],[[],[[9],[[9],[9],[],[[[9],[[[[[9],[[[[],[[9],[[[[],[[9],[[],[],[]],[[]],[],[],[[9],[[],[],[[],[[],[[[9],[9],[],[[[9],[9],[[[[],[[9],[[[[],[[9],[[],[],[]],[[[9],[9],[[[[],[[9],[[[[],[[9],[[],[],[]],[[]]C[],[],[[9],[[],[],[[],[[],[[[9],[9],[],[[[9],[[],[[[[],[[9],[[[[[

PoC has been tested on code from: http://lloyd.github.io/yajl/yajl-1.0.12/index.html

berrange commented 1 year ago

I can reproduce this on the 1.x branch, but I can't reproduce in master. A git bisect suggests it was fixed by #25, so anyone on any 2.x.y release and/or master should be ok.