Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow (OSS-Fuzz issue 343) #407

Closed
nlohmann opened this issue Dec 29, 2016 · 2 comments
Closed

Heap-buffer-overflow (OSS-Fuzz issue 343) #407

nlohmann opened this issue Dec 29, 2016 · 2 comments
Assignees
@nlohmann
Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed kind: bug
Milestone
Release 2.0.10

Comments

@nlohmann
Copy link
Owner

The library is continuously fuzz tested by Google's OSS-Fuzz. Today, an error was reported:

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=6040962799239168

Project: json
Fuzzer: libFuzzer_json_fuzzer-parse_msgpack
Fuzz target binary: fuzzer-parse_msgpack
Job Type: libfuzzer_asan_json
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x603000000143
Crash State:
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
_start

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_json&range=201612280923:201612281110

Minimized Testcase (0.00 Kb): https://clusterfuzz-external.appspot.com/download/AMIfv95NCMBh7AVb3p5HP2Yn5Au5Pwi80PXPp7Le6IBv-PDKP56X6ElvOlGqKpcdihUGYs_k0vO9657nHJkkvdxt4zFeiNgnXuvJPxzLtEit_svS5wKr0OrSnrEmal8lsVaIaAiLdo9oP3_8Dqy8SK6J2MN9ikU4mbzydYZ8HzxmHpGZRUGXtm-FsmPdpB-7jFMUpOy4c_cnq50Xvd2VYKp8Xz_NOZAlWgGpa0g6yeNWF4j7WY2tIVnQClLXLY_Gd_QSSC1kZBkjRiQ95_ArJ0a-tsNFk1Kh43C_4FRUPq6P3f23h94CuQIfeLsNLIT517JnjYVwEVt76JWrseXFPp1PC5xO32PZqbnlzZojC1O3c32RJk8Eb3mXZNktsw98DCXHN1f5W8Rv?testcase_id=6040962799239168

Issue filed automatically.

See https:/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

Test case: 0xcb 0x8f 0x0a

SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x51ba09 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_msgpack_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:6993:87
#1 0x511d03 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_msgpack(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /src/json/src/json.hpp:7672:16
@nlohmann
Copy link
Owner Author

Diagnosis: the input begins with 0xcb (float64), but only 2 instead of 8 bytes follow.

@nlohmann nlohmann self-assigned this Dec 29, 2016
@nlohmann
Copy link
Owner Author

The same issue occurs for all other incomplete floating-point numbers, both in CBOR and MessagePack.

nlohmann added a commit that referenced this issue Dec 29, 2016
@nlohmann
🚑 fix for #407
383a29a
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlohmann nlohmann

Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed kind: bug
Projects
None yet
Milestone
Release 2.0.10
Development

No branches or pull requests
1 participant
@nlohmann