cJSON_Parse has buffer overflow with missing comma #878
Comments
|
Hi @brianwyld. Thank you for your reporting. |
|
Attached JSON file that causes * buffer overflow* and crash on my build due to missing comma line 2 |
|
Looks like you are trying to parse a corrupted json with And I noticed there is a lot of content after the missing comma line 2, which I think is the root cause of overflow. Considering your json is corrupted with a missing comma, I do not have any better good idea but to validate json on the caller side. |
|
Actually cjson is implemented in this way. See while (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ','));
if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '}'))
{
goto fail; /* expected end of object */
}As you can see, it stops parsing when a comma is missed. And it expects a '}' after it. When cjson can not find a '}', it directly go to fail section, which will handle with memory and return null. |
|
As for the overflow, I can not reproduce it locally. IIRC cjson does not create any buffer when parsing json, it only iterate the buffer you provide when calling |
|
Ok, so either there is a problem with the version bundled in zephyr 1.7.14 or there is another case... I will take a look in the code to see where the 'buffer overflow detected' log comes from and how it gets there. |
Using cJSON version 1.7.14 as bundled in the Nordic Semi SDKConnect under Zephyr.
If I try to parse using cJSON_ParseWithLength(tmp_json_buffer, load_len) for a buffer containing JSON missing the comma between items, then depending on where the item is in the overall buffer I either get a parse failure:
or a nasty
followed by a zephyr panic and a fatal error/restart.
In the first case, I have
as the end of my JSON (about 8kB's worth)
In the 2nd case its the first element...
Zephyr main stack size is configred to 64kB;
The text was updated successfully, but these errors were encountered: