Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assertion error (OSS-Fuzz 856) #504

Closed
nlohmann opened this issue Mar 13, 2017 · 4 comments
Closed

Assertion error (OSS-Fuzz 856) #504

nlohmann opened this issue Mar 13, 2017 · 4 comments
Assignees
Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed
Milestone

Comments

@nlohmann
Copy link
Owner

Detailed report: https://oss-fuzz.com/testcase?key=4910609957126144

Project: json
Fuzzer: libFuzzer_json_parse_cbor_fuzzer
Fuzz target binary: parse_cbor_fuzzer
Job Type: libfuzzer_asan_json
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
j1 == j2
_start

Sanitizer: address (ASAN)

Regressed: https://oss-fuzz.com/revisions?job=libfuzzer_asan_json&range=201703121620:201703131620

Reproducer Testcase: https://oss-fuzz.com/download/AMIfv94QnsU7rQn_6EMKIf1tY03A70fJNBE4s4pBAttVwxsQ--RcPxWkO5KLsQSF6wLETaBEwAFcuKUOd7z6fih_queH7WUrk4Ksrco2ueyrGzfjOG7vn2EDXrSTD8rKizXF9KK5ukS1_3o1IhMvnGnNWNcnMRa4G5YTyfony4huGgLWvUFU5y70NJlQVaTZu6DrMCucs2XSD7JpwiI8QPqeO7fk_z9FbyrJ7rgey0uad0KvAev2R182E6W6jPQa1Uf8wm1gRcgWpxTOHZqw2AGWLaGNIKBFg4a90P-TJV5FaBM-ZEh1wfFIBctpJbAGZNUy1HS1aFhlQer7b5uHeeJeht17gHp1sGIFKs-A5H-T0gWHEmmZQeYyXetNt4ZnZP7hHXPqtwo4?testcase_id=4910609957126144


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

Input: 0xf9, 0xff, 0xff, 0x4a, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x37, 0x02, 0x38

Example program:

#include "json.hpp"

using json = nlohmann::json;

int main()
{
    std::vector<uint8_t> vec = {0xf9, 0xff, 0xff, 0x4a, 0x3a, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x37, 0x02, 0x38};
    std::cout << json::from_cbor(vec);
}
@nlohmann
Copy link
Owner Author

nlohmann commented Mar 13, 2017

The beginning of the input (0xf9, 0xff, 0xff) is the half-precision float (half=65535, exp=31, mant=1023) representing NaN. Since #329, NaN does not yield an exception, but is stored internally, but is dumped as null. This explains the roundtrip error.

@nlohmann
Copy link
Owner Author

nlohmann commented Mar 13, 2017

As the behavior is OK, the CBOR fuzz tester must be adjusted to allow such roundtrip errors.

@nlohmann nlohmann self-assigned this Mar 13, 2017
@nlohmann nlohmann added the solution: proposed fix a fix for the issue has been proposed and waits for confirmation label Mar 13, 2017
@nlohmann nlohmann added kind: bug and removed solution: proposed fix a fix for the issue has been proposed and waits for confirmation labels Mar 14, 2017
@nlohmann
Copy link
Owner Author

I misunderstood the problem. There was never a serialization to string, but a comparison of two NaN values. The assertion fails, because the two JSON values are treated differently.

@nlohmann
Copy link
Owner Author

As of #329, NaN and infinity values can be stored inside a json value without throwing an exception. However, two JSON values that store NaN fail to identify:

#include "json.hpp"

using json = nlohmann::json;

int main()
{
    json j1 = NAN;
    json j2 = NAN;
    
    assert(j1 == j2); // this fails!
}

This is, because the comparison is implemented as

return lhs.m_value.number_float == rhs.m_value.number_float;

The error here is that a NaN value is read from CBOR into a JSON value j1 and then round-tripped to j2. j1 and j2 are the same down to the bit, but j1 != j2, because j1.m_value.number_float != j2.m_value.number_float, because both values are NaN.

Hence, the code in the fuzzer must be adjusted.

@nlohmann nlohmann added solution: proposed fix a fix for the issue has been proposed and waits for confirmation and removed kind: bug labels Mar 14, 2017
@nlohmann nlohmann added this to the Release 3.0.0 milestone Mar 14, 2017
@nlohmann nlohmann removed the solution: proposed fix a fix for the issue has been proposed and waits for confirmation label Mar 14, 2017
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed
Projects
None yet
Development

No branches or pull requests

1 participant