Description:
A Heap Buffer Overflow vulnerability was identified in the json_parse_object function at line 532 of json.c. This vulnerability triggers an AddressSanitizer (ASan) out-of-bounds read error and sends a SIGABRT signal to terminate the process.
PoC (Proof of Concept) Payload:
JSON
{"string":"test","number":123,"bool":true,"null":nþll}
Root Cause Analysis:
The error recovery logic fails when encountering malformed non-ASCII characters or unexpected keywords (such as nþll instead of null). As the parser increments the input buffer pointer, it bypasses the null-terminator \0. Since the subsequent logic forces a comparison with the closing brace }, the pointer dereferences an out-of-bounds memory area.
Impact:
- CVSS v3.1 Score: 7.5 (High)
- Attackers can exploit this via crafted payloads to cause a Denial of Service (DoS).
- Under specific multi-threaded and concurrent heap layouts, it may leak sensitive memory information, potentially bypassing ASLR.
Suggested Fix:
- Enforce a null-byte sentinel validation (
\0) at every pointer advancement step.
- Immediately abort the parsing process and return a
json_error_t flag if the delimiter matches fail or the pointer overflows, preventing further advancement.
Description:
A Heap Buffer Overflow vulnerability was identified in the
json_parse_objectfunction at line 532 ofjson.c. This vulnerability triggers an AddressSanitizer (ASan) out-of-bounds read error and sends aSIGABRTsignal to terminate the process.PoC (Proof of Concept) Payload:
JSON
Root Cause Analysis:
The error recovery logic fails when encountering malformed non-ASCII characters or unexpected keywords (such as
nþllinstead ofnull). As the parser increments the input buffer pointer, it bypasses the null-terminator\0. Since the subsequent logic forces a comparison with the closing brace}, the pointer dereferences an out-of-bounds memory area.Impact:
Suggested Fix:
\0) at every pointer advancement step.json_error_tflag if the delimiter matches fail or the pointer overflows, preventing further advancement.