I found a minor bug in json_skip_whitespace, however, I triggered this bug from the json_parse function with the following buffer as input: '\n\t\t\n\t\t\t\t"\x00'
The stack trace is as follows:
json_skip_whitespace at ./json.h:478
json_skip_all_skippables at ./json.h:610
json_parse_ex at ./json.h:1972
json_parse at ./json.h:2049
I found a minor bug in
json_skip_whitespace
, however, I triggered this bug from thejson_parse
function with the following buffer as input:'\n\t\t\n\t\t\t\t"\x00'
The stack trace is as follows:
json_skip_whitespace
at ./json.h:478json_skip_all_skippables
at ./json.h:610json_parse_ex
at ./json.h:1972json_parse
at ./json.h:2049The bug happens because of the following reasons two function calls in
json_parse_ex
: https://github.com/sheredom/json.h/blob/master/json.h#L1968-L1972The first call to
json_get_value_size
results in a call tojson_skip_all_skippables
:https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L1249-L1259
This
json_skip_all_skippables
will setoffset
to be at the"
character of the buffer (second to last).Then, the call to
json_get_string_size
will result inoffset
being incremented by 2, in particular first on line:https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L656-L658
and again here:
https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L776-L779
Then, when
json_skip_all_skippables
is called from inside thejson_parse_ex
, the following code: https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L604-L610 will execute andoffset
will in fact be one above thesize
, which is why the overflow happens injson_skip_whitespace
https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L470-L478