Heap Buffer Overflow in `json_string_len` due to unvalidated pointer increment on trailing backslash

[Xinchen-one]

Description:

A Heap Buffer Overflow vulnerability was found in the json_string_len function at line 1025 of json.c when calculating the internal length of a string payload.

PoC (Proof of Concept) Payload:

Plaintext

"\v

Root Cause Analysis:

When parsing standard escape characters prefixed by a backslash \, json_string_len unconditionally performs an iter += 2 step to skip the escape symbol and its following modifier. If the input payload is malformed and unexpectedly truncated right at the backslash, this operation forces the pointer to skip the terminating null byte \0. The underlying for loop continues scanning subsequent heap blocks uncontrollably until it hits the ASan redzone, triggering a SIGABRT crash.

Impact:

• CVSS v3.1 Score: 7.5 (High)
• Without ASan intervention, the pointer will roam through memory, potentially exposing adjacent heap data, session keys, or other sensitive user context, resulting in information disclosure.

Suggested Fix:

• Rewrite the backslash parsing branch to validate the trailing character before dereferencing or advancing.
• If the character following \ is \0, immediately treat it as an unclosed non-RFC escape sequence and return an error rather than applying unconditional iter += 2 logic.