Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow (OSS-Fuzz issue 367) #412

Closed
nlohmann opened this issue Jan 1, 2017 · 1 comment
Closed

Heap-buffer-overflow (OSS-Fuzz issue 367) #412

nlohmann opened this issue Jan 1, 2017 · 1 comment
Assignees
Labels

Comments

@nlohmann
Copy link
Owner

nlohmann commented Jan 1, 2017

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=6541936374579200

Project: json
Fuzzer: libFuzzer_json_fuzzer-parse_cbor
Fuzz target binary: fuzzer-parse_cbor
Job Type: libfuzzer_asan_json
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x60d0000004d8
Crash State:
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_json&range=201612280923:201612281110

Minimized Testcase (0.13 Kb): https://clusterfuzz-external.appspot.com/download/AMIfv9662WCaMqPQr9f_huKoZWqDy6Qn7oJb7-csZwN-cxWh1PIBkymo9X7gg1WMkAodGEnx_KUFobrGGthMmyUfXE33PSi3l8GULrWI8zioF2hC_bzhxyORUtGqPE0jak4Hr7i1OJ8gg8iVFeAThvCaRzHjjLIWMl8uxv0HP9yUF2_ldtjxyh9vGZHdRSNbPXvfMGdYhFxpXH6Tl2tZ2EG-NpsB8xTAtod-6sh_P42Lut50954D2B1qzZnP6tC_uOfgV3WTd1Q5iyIWvHDHLEmt810RhuDE-mNVB9ueMTObG0BxN_tyhnwTqaWGzSE6rhl4k5CN5ABrzbz4AfnXnJhE1RNVONchtXT6yQB49IL9aAfY7edE3SuPFMlcgf45a9hxICAxqXOA?testcase_id=6541936374579200

Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

Input:

ab98 9898 9898 9898 9898 9898 9800 0000
60ab 9898 9898 9898 9898 9898 9800 0000
6060 6060 6060 6060 6060 6060 6060 6060
6060 6060 6060 6060 6060 6060 6060 6060
6060 6060 6060 6060 6060 6060 6060 6060
6060 6060 6060 a09f 9f97 6060 6060 6060
6060 6060 6060 6060 6060 6060 6060 6060
6060 6060 6060 6060 6060 6060 6060 6060
6060 6060 6060 6060 

fuzz-3-json_fuzzer-parse_cbor-2.zip

==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000004d8 at pc 0x00000051fd6a bp 0x7ffceb681150 sp 0x7ffceb681148
READ of size 1 at 0x60d0000004d8 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x51fd69 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7421:24
#1 0x51fd99 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7423:38
#2 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#3 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#4 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#5 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#6 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#7 0x520080 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7460:39
#8 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#9 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#10 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#11 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#12 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#13 0x51f3b9 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7377:38
#14 0x520080 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7460:39
#15 0x511bbc in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /src/json/src/json.hpp:7720:16
#16 0x51107e in LLVMFuzzerTestOneInput /src/json/./test/src/fuzzer-parse_cbor.cpp:34:19
@nlohmann
Copy link
Owner Author

nlohmann commented Jan 1, 2017

Same issue as #411: the stop byte was always expected. Added a test now.

@nlohmann nlohmann self-assigned this Jan 1, 2017
nlohmann added a commit that referenced this issue Jan 1, 2017
@nlohmann nlohmann added this to the Release 2.0.10 milestone Jan 1, 2017
@nlohmann nlohmann closed this as completed Jan 2, 2017
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant