search

sheredom / json.h

🗄️ single header json parser for C and C++
The Unlicense
698 stars 77 forks source link

Buffer overflow in json_skip_c_style_comments #84

Closed zodf0055980 closed 1 year ago

zodf0055980 commented 1 year ago

Hi, I use fuzzer find this overflow.

#include "json.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[]) { 
    char s[2] = "4e";
    json_parse_ex(s, 2, json_parse_flags_allow_json5, 0, 0, 0);
}

This is asan report.

==3377194==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffde23 at pc 0x555555588e2c bp 0x7fffffffdc10 sp 0x7fffffffdc00
READ of size 1 at 0x7fffffffde23 thread T0
    #0 0x555555588e2b in json_skip_c_style_comments json.h:547
    #1 0x55555558a26c in json_skip_all_skippables json.h:633
    #2 0x55555559ba6a in json_parse_ex json.h:2043
    #3 0x5555555a9e22 in main test_overflow.c:8
    #4 0x7ffff6a41082 in __libc_start_main ../csu/libc-start.c:308
    #5 0x55555558838d in _start (/home/yuan/json.h/a.out+0x3438d)

Address 0x7fffffffde23 is located in stack of thread T0 at offset 35 in frame
    #0 0x5555555a9d44 in main test_overflow.c:6

  This frame has 1 object(s):
    [32, 34) 's' (line 7) <== Memory access at offset 35 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow json.h:547 in json_skip_c_style_comments
Shadow bytes around the buggy address:
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007fff7ba0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3
  0x10007fff7bb0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007fff7bc0: f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00 00 00 00 00
  0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3377194==ABORTING