UBSAN error while parsing BJData (Null-dereference) #3491
Comments
|
FYI @fangq |
nlohmann
changed the title
|
tested this input file using the fangq$ g++ -g t3491.cpp -o t3491 -I include
fangq$ ./t3491 clusterfuzz-testcase-minimized-parse_bjdata_fuzzer-6432243825901568
terminate called after throwing an instance of 'nlohmann::detail::parse_error'
what(): [json.exception.parse_error.110] parse error at byte 18: syntax error while parsing BJData value: unexpected end of input
Aborted (core dumped)t3491.cpp #include <nlohmann/json.hpp>
#include <iostream>
#include <fstream>
using json = nlohmann::json;
int main(int argc, char *argv[]) {
if(argc<2)
return 1;
std::ifstream stream(argv[1], std::ios::binary);
std::vector<uint8_t> contents((std::istreambuf_iterator<char>(stream)), std::istreambuf_iterator<char>());
json j = json::from_bjdata(contents);
std::cout << j << std::endl;
return 0;
} |
|
Try building with Edit: And if nothing changes, try running the program with this environment variable: |
|
@falbrechtskirchinger, perhaps I did not set up the environment properly for this - my work desktop runs Ubuntu 18.04. I tried both g++ and clang++6.0 with the suggested flag and env variable, but still it prints the end-of-input parse_error. |
|
I've not tried to reproduce these issues myself. I'm working on an improved fuzz testing setup. Once that is completed in the coming days, I'll take a look. |
|
I analyzed the issue, and just like #3490 (comment) and #3492 (comment), it is caused by creating invalid SAX events. These events are triggered: <object>
<key key="" />
<array>
<object size="3">
<key key="_ArraySize_" />
<array size="2">
<number_integer val="32" />
<number_integer val="0" />
</array>
<array size="0"> <!-- first error: expected a key here -->
</array>
</array> <!-- second error: parsing an object, but closing an array -->
<key key="" />
<parse_error id="18" token="<end of file>" />The parser must make sure that
These mismatched events yield undefined behavior in the SAX-DOM parser. In #3498 I propose adding assertions to make this undefined behavior visible. That PR does not fix this issue, but makes it clear that is unrelated to any sanitizer. |
nlohmann
added
confirmed
solution: proposed fix
…3491,#3492,#3490) (#3500) * Discard optimized containers with negative counts in UBJSON/BJData (#3491,#3492,#3490) * fix msvc error * update unit tests for negative sized containers * use a loop to test 0 ndarray dimension * throw an error when count is negative, merge CHECK_THROW_AS and _WITH with _WITH_AS
Description
OSS-Fuzz reports a runtime error: member access within null pointer of type 'std::__tree_end_node<std::__tree_node_base<void *> *>' when fuzzing with UBSAN.
Reproduction steps
clusterfuzz-testcase-minimized-parse_bjdata_fuzzer-6432243825901568.zip
Expected vs. actual results
Expected: parse error or valid JSON value returned
Actual: UBSAN runtime error
Minimal code example
No response
Error messages
Compiler and operating system
OSS-Fuzz
Library version
develop
Validation
developbranch is used.The text was updated successfully, but these errors were encountered: