Skip to content
This repository has been archived by the owner on Oct 23, 2024. It is now read-only.

Undeclared exceptions thrown by JSON.parse #3631

Closed
fmeum opened this issue Jan 29, 2021 · 3 comments
Closed

Undeclared exceptions thrown by JSON.parse #3631

fmeum opened this issue Jan 29, 2021 · 3 comments
Labels
bug
Milestone
1.2.76

Comments

@fmeum
Copy link
Contributor

fmeum commented Jan 29, 2021

While fuzzing fastjson in version 1.2.75, I found 4 cases of undeclared exceptions (i.e., exceptions other than JSONException).
The crashes can be reproduced with the following standalone Java applications, which require fastjson-1.2.75.jar from https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.75/fastjson-1.2.75.jar in the classpath.

Issue 1: NumberFormatException

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash1 {
    public static void main(String[] args) {
        try {
            JSON.parse("{[-");
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 2: ClassCastException

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash2 {
    public static void main(String[] args) {
        try {
            JSON.parse("TreeSet[[]");
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 3: ArrayIndexOutOfBoundsException

import java.util.Base64;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash3 {
    public static String btoa(String base64) {
        return new String(Base64.getDecoder().decode(base64));
    }

    public static void main(String[] args) {
        try {
            JSON.parse(btoa("IltbezU6W3s2Ojg2Ojg4LDU6W3s2OgAAAA17eycAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7e3t7//97UERGLTIgQm8aNDU6W3s2Ojg4LDU6W3s2OgAAAA17NgEAAHt7//97UERGLTIgQm8aNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7ewFF//97UERGLTIgQmpkAAAAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0amQAAA17eyd7ewFF//97UERGLTIgQm8aNAAADXt7J3t7AUX//3tQREYtMiBCbxo0AAAAAA17eyd7////T/97UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0"));
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 4: ArrayIndexOutOfBoundsException

import java.util.Base64;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash4 {
    public static String btoa(String base64) {
        return new String(Base64.getDecoder().decode(base64));
    }

    public static void main(String[] args) {
        try {
            JSON.parse(btoa("WywsIiIMLCIAAAAMAAAgAAAAdWUgdAAAAA1ubHUlbDMyMjIABAAAADIyMjISMjNbW1ukHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHiBUZA17W3tbCTg0DQooIHRleHQuIEFuZCAgNDRUBDQ0LCwoLCwsLCwsKSwsLCwsLCwsLCwsLCwsnf8sLCwsLCwsMiwsLG51bA9sLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLBAsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwyLCwsLCwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHtbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHsnw4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWw1dLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW10AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW6Gknf8sLCwsLCwsLCwsLCwsWywsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksLCwsLCwsLCwsLCwsLJ3/LCwsLCwsLDIsLCxudWxsLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwsLCwsLCwoLCwsLCwsKSx07zV1bmRlZmluZW5kACwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1tboaSd/ywsLCwsLCwsLCwsLCxbLCwsLCwsLCwsLCwsLCwsLCwsLEEsPCwsLCx7W1tbW6Gknf8sLCwsLCwsLCwsLCwsLCwsLCgsLCwsLCwpLCwsLCwsLCwsLCwsLCyd/ywsLCwsLCwyLCwsbnVsbCwsKiwsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksdO+/vSwsLCwsMSwsLCwsLCwsLCxbW1tboaSd/xosLCwsLCwyLCwsLCwsLCwsLCws"));
        } catch (JSONException unused) {
            return;
        }
    }
}
@wenshao wenshao added this to the 1.2.76 milestone Jan 31, 2021
@Certseeds
Copy link
Contributor

@wenshao
Is there anyone had done something in this issue?
I am willing to solve it in a few months.

@fmeum fmeum mentioned this issue Mar 12, 2021
Merged
@fmeum
Copy link
Contributor Author

fmeum commented Mar 12, 2021

As the issues reported in this thread were found via fuzzing, I have drafted a PR that would set up fastjson for continuous fuzzing in OSS-Fuzz: google/oss-fuzz#5373

Let me know if you have any questions or concerns.

@fmeum
Copy link
Contributor Author

fmeum commented Mar 13, 2021

@wenshao Sorry, I didn't intend for google/oss-fuzz#5373 to be merged right away. If you want me to make any changes or revert the OSS-Fuzz integration entirely, please let me know.

@wenshao wenshao added the bug label Apr 5, 2021
@wenshao wenshao closed this as completed in ba07c7f Apr 5, 2021
@Certseeds Certseeds mentioned this issue Apr 6, 2021
Open
2 tasks
This was referenced Apr 15, 2021
Open
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
1.2.76
Development

No branches or pull requests
3 participants
@wenshao @fmeum @Certseeds