In json_parse_object(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json_parse_ex() with specific flags combination. The root cause of this vulnerability is that the parameter object transferred to json_parse_obect() is not properly sanitized, and it is pointed to out-of-bound position assigned by upper layer function.
Here is the output of Google ASAN when the vulnerability is triggerred:
The flags is 0x5fd6d7d6d6247bdf
=================================================================
==5354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a000000550 at pc 0x557f8e3323e7 bp 0x7ffd29216ab0 sp 0x7ffd29216aa8
WRITE of size 8 at 0x61a000000550 thread T0
#0 0x557f8e3323e6 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1670:21
#1 0x557f8e334ad9 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7
#2 0x557f8e3338f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
#3 0x557f8e334ad9 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7
#4 0x557f8e3338f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
#5 0x557f8e334ad9 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7
#6 0x557f8e338d4b in json_parse_array /home/hyrathon/Desktop/jsonh/./json.h:1809:5
#7 0x557f8e334ed5 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1962:7
#8 0x557f8e3338f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
#9 0x557f8e3341c8 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5
#10 0x557f8e33cc85 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3
#11 0x557f8e353192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
#12 0x7fae53ff9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7fae53ff9e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#14 0x557f8e261314 in _start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
0x61a000000550 is located 0 bytes to the right of 1232-byte region [0x61a000000080,0x61a000000550)
allocated by thread T0 here:
#0 0x557f8e2e415e in __interceptor_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
#1 0x557f8e33bf15 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18
#2 0x557f8e353192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
#3 0x7fae53ff9d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1670:21 in json_parse_object
Shadow bytes around the buggy address:
0x0c347fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fff80a0: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
0x0c347fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5354==ABORTING
The input to trigger this bug is attached. The first 8 bytes are the flags for json_parse_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.
Another Heap OOB in json_parse_object()
In
json_parse_object(), there is a heap out-of-bound write. The bug can be triggered with an invocation ofjson_parse_ex()with specific flags combination. The root cause of this vulnerability is that the parameterobjecttransferred tojson_parse_obect()is not properly sanitized, and it is pointed to out-of-bound position assigned by upper layer function.Here is the output of Google ASAN when the vulnerability is triggerred:
The input to trigger this bug is attached. The first 8 bytes are the flags for
json_parse_ex()and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.Version: latest commit (bdcf2e1912aa4c0127f755f5f6271c539d6cbf9f) crash-input.zip