Closed zodf0055980 closed 1 year ago
Hi, I use fuzzer find this overflow.
#include "json.h" #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { char s[2] = "4e"; json_parse_ex(s, 2, json_parse_flags_allow_json5, 0, 0, 0); }
This is asan report.
==3377194==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffffffde23 at pc 0x555555588e2c bp 0x7fffffffdc10 sp 0x7fffffffdc00 READ of size 1 at 0x7fffffffde23 thread T0 #0 0x555555588e2b in json_skip_c_style_comments json.h:547 #1 0x55555558a26c in json_skip_all_skippables json.h:633 #2 0x55555559ba6a in json_parse_ex json.h:2043 #3 0x5555555a9e22 in main test_overflow.c:8 #4 0x7ffff6a41082 in __libc_start_main ../csu/libc-start.c:308 #5 0x55555558838d in _start (/home/yuan/json.h/a.out+0x3438d) Address 0x7fffffffde23 is located in stack of thread T0 at offset 35 in frame #0 0x5555555a9d44 in main test_overflow.c:6 This frame has 1 object(s): [32, 34) 's' (line 7) <== Memory access at offset 35 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow json.h:547 in json_skip_c_style_comments Shadow bytes around the buggy address: 0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x10007fff7ba0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 0x10007fff7bb0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10007fff7bc0: f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00 00 00 00 00 0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10007fff7c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3377194==ABORTING
Hi, I use fuzzer find this overflow.
This is asan report.