Buffer overflow in json_get_number_size

[skeeto]

#include "json.h"
static char s[2] = "0.";
int main(void) { json_parse(s, 2); }

$ cc -g3 -fsanitize=address crash.c 
$ ./a.out
ERROR: AddressSanitizer: global-buffer-overflow
READ of size 1 at 0x5630032b30e2 thread T0
    #0 json_get_number_size json.h:1223
    #1 json_get_value_size json.h:1352
    #2 json_parse_ex json.h:2039
    #3 json_parse json.h:2120
    #4 main crash.c:3

By the way, I've been finding these as a result of fuzzing a project that uses json.h. Here's a fuzz target to find defects directly in json.h.

#include <stdio.h>
#include <stdlib.h>
#include "json.h"

int main(void)
{
    int n = 1 << 12;
    void *buf = malloc(n);
    int len = fread(buf, 1, n, stdin);
    buf = realloc(buf, len);
    void *volatile sink = json_parse(buf, len);
}

Usage:

$ afl-gcc -m32 -g3 -fsanitize=address,undefined fuzz.c
$ mkdir in
$ echo {} >in/a
$ afl-fuzz -m800 -iin -oout ./a.out

[sheredom]

Oh nice one! I've never used fuzzing on my json.h lib before, but its a good idea!

[skeeto]

Thanks for the quick fix again! I've been fuzzing with your fixes for awhile now with no new findings, so I don't think I'm going to find another. The issues I had reported were found almost instantly.

[sheredom]

No problem! Thanks for taking the time to a) check my lib with fuzzing and b) taking the time to report the issues!