[CVE]A heap overflow in the lua-cjson library

openresty / lua-cjson

Lua CJSON is a fast JSON encoding/parsing module for Lua

http://www.kyne.com.au/~mark/software/lua-cjson.php

MIT License

436 stars 119 forks source link

[CVE]A heap overflow in the lua-cjson library #93

Open NagamineLee opened 1 year ago

NagamineLee commented 1 year ago

CVE has revealed a a critical vulnerability about Redis，but details of the vulnerability are more related to cjson. By reviewing the Redis source code, the cjson library used in Redis is also derived from the Lua CJSON official. So, the problem may also happen in OpenResty.

A heap overflow in the lua-cjson library Severity: high CVE-2022-24834

zhuizhuhaomeng commented 1 year ago

Ported the code from redis: https://github.com/openresty/lua-cjson/pull/94