Buffer overflow in jsmn

[yunho-kim]

Dear Serge Zaitsev, We have found a buffer overflow issue in jsmn. The crash input is automatically generated by our test generation tool FOCAL. You can find crash.json in crash.zip.

Here are details to reproduce the buffer overflow.

• OS & Compiler Ubuntu Linux 16.04 x64 and GCC 5.4.0
• Build command $ LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address" make all jsondump
• Run command $ ./jsondump < crash.json
• Outputs

  
  'glossar▒▒: {
      ': titl
  =================================================================
  ==4148==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000f000 at pc 0x000000400e95 bp 0x7ffd518ee090 sp 0x7ffd518ee080
  READ of size 4 at 0x60600000f000 thread T0
  #0 0x400e94 in dump (/home/yhkim/jsmn/jsondump+0x400e94)
  #1 0x40115e in dump (/home/yhkim/jsmn/jsondump+0x40115e)
  #2 0x401707 in main (/home/yhkim/jsmn/jsondump+0x401707)
  #3 0x7fec0954182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
  #4 0x400ca8 in _start (/home/yhkim/jsmn/jsondump+0x400ca8)

0x60600000f000 is located 0 bytes to the right of 64-byte region [0x60600000efc0,0x60600000f000) allocated by thread T0 here:

0 0x7fec09983961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)

#1 0x400d98 in realloc_it (/home/yhkim/jsmn/jsondump+0x400d98)
#2 0x4016c7 in main (/home/yhkim/jsmn/jsondump+0x4016c7)
#3 0x7fec0954182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 dump Shadow bytes around the buggy address: 0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c0c7fff9e00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0c7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==4148==ABORTING

[pt300]

I believe that's a duplicate of #125