Heap Overflow in json_parse_number()

[hyrathon]

Heap Overflow in json_parse_number()

In json_parse_number(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json_parse_ex() with specific flags combination. The root cause of this vulnerability is that the parameter number transferred to json_parse_number() is not properly sanitized, and it is pointed to out-of-bound position assigned by upper layer function.

Here is the output of Google ASAN when the vulnerability is triggerred:

The flags is 0x5fd6d79cd6247bff
=================================================================
==5128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001c0 at pc 0x560f532c646f bp 0x7ffc97871f80 sp 0x7ffc97871f78
WRITE of size 8 at 0x6140000001c0 thread T0
    #0 0x560f532c646e in json_parse_number /home/hyrathon/Desktop/jsonh/./json.h:1839:18
    #1 0x560f532c22d1 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1980:7
    #2 0x560f532c08f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
    #3 0x560f532c11c8 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5
    #4 0x560f532c9c85 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3
    #5 0x560f532e0192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
    #6 0x7f65c9a20d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #7 0x7f65c9a20e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #8 0x560f531ee314 in _start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)

0x6140000001c4 is located 0 bytes to the right of 388-byte region [0x614000000040,0x6140000001c4)
allocated by thread T0 here:
    #0 0x560f5327115e in __interceptor_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
    #1 0x560f532c8f15 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18
    #2 0x560f532e0192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
    #3 0x7f65c9a20d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1839:18 in json_parse_number
Shadow bytes around the buggy address:
  0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8030: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
  0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5128==ABORTING

The input to trigger this bug is attached. The first 8 bytes are the flags for json_parse_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

Version: latest commit (bdcf2e1912aa4c0127f755f5f6271c539d6cbf9f)

crash-input.zip