Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue - double free in parse_object #105

Closed
dzonerzy opened this issue Feb 15, 2017 · 7 comments
Closed

Security issue - double free in parse_object #105

dzonerzy opened this issue Feb 15, 2017 · 7 comments

Comments

@dzonerzy
Copy link

Hi during a fuzzing session using PyJFuzz, i found that is possible to trigger a double free condition when parse_object function is called, the double free happend inside parse_string, below a screenshot

schermata 2017-02-15 alle 12 51 43

Below the testcase i used to crash cJSON

[{"FsrKY7": {"xsatsIjrY": {"f4UOmTp": -59.634942997}, "qf6t2w7f0": {}, "vwY7wMW": {"mcyrBl": "X1tjR5d", "m\FsFF20": "UzbJl"}}, "FGRF1wI": {"R6KZm": 127, "jC8utX": null}, "6nrvXK9sk": {"Gj7zP": {}}}, {"V5GD8GR": -19.5946741823, "bYsh2vyhp": -24.3975015443}{"V5GD8GR": -19.5946741823, "bYsh2vyhp": 24.3975015443}, ]

and the output

schermata 2017-02-15 alle 12 57 55

I don't investigate further, so please let me know what do you think.

Best regards,
Daniele

@FSMaxB
Copy link
Collaborator

FSMaxB commented Feb 15, 2017

First of all, thanks for investing in the security of cJSON by applying fuzzing.

Currently I am unable to reproduce this with either the latest commit from master, or version 1.2.1. Cann you provide your full code for reproducing it please.

Please use attachments instead of pasting it in the issue comment.

@dzonerzy
Copy link
Author

I clone the latest commit from master then i compile a simple test program which i'm attaching below together with the crash repro file.

files.zip

Please let me know if you need more info.

Regards,
Daniele

@FSMaxB
Copy link
Collaborator

FSMaxB commented Feb 15, 2017

I found the problem and I can reproduce it with just "\F. A fix is on the way.

@dzonerzy
Copy link
Author

Well that's a good news, thanks for your support! awesome project

@FSMaxB FSMaxB added bug and removed needs info labels Feb 15, 2017
@FSMaxB FSMaxB closed this as completed in 94117a5 Feb 15, 2017
@FSMaxB
Copy link
Collaborator

FSMaxB commented Feb 15, 2017

Btw. this problem only existed on master, so v1.2.1 isn't effected.

@Poras08
Copy link

Poras08 commented May 25, 2021

Hello Daniele, In your error at first place you are using a complex/recursive json, Can you tell how did you generate this Json.

I am also doing Fuzzing on Rest API.

Regards,
Poras

@dzonerzy
Copy link
Author

I used PyJFuzz a tool of mine, but sadly this is now unmaintained

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants