search

sheredom / json.h

🗄️ single header json parser for C and C++
The Unlicense
698 stars 77 forks source link

Minor overflow in json_skip_whitespace #69

Closed DavidKorczynski closed 4 years ago

DavidKorczynski commented 4 years ago

I found a minor bug in json_skip_whitespace, however, I triggered this bug from the json_parse function with the following buffer as input: '\n\t\t\n\t\t\t\t"\x00'

The stack trace is as follows: json_skip_whitespace at ./json.h:478 json_skip_all_skippables at ./json.h:610 json_parse_ex at ./json.h:1972 json_parse at ./json.h:2049

The bug happens because of the following reasons two function calls in json_parse_ex: https://github.com/sheredom/json.h/blob/master/json.h#L1968-L1972

The first call to json_get_value_size results in a call to json_skip_all_skippables:

https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L1249-L1259

This json_skip_all_skippables will set offset to be at the " character of the buffer (second to last).

Then, the call to json_get_string_size will result in offset being incremented by 2, in particular first on line:

https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L656-L658

and again here:

https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L776-L779

Then, when json_skip_all_skippables is called from inside the json_parse_ex, the following code: https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L604-L610 will execute and offset will in fact be one above the size, which is why the overflow happens in json_skip_whitespace

https://github.com/sheredom/json.h/blob/eeb1c14bb81bbc814e6a2469fca2d9278a56223b/json.h#L470-L478

sheredom commented 4 years ago

Thanks for the issue - it was actually a bug in string parsing, which I've fixed in #70!