You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dear Serge Zaitsev,
We have found a buffer overflow issue in jsmn.
The crash input is automatically generated by our test generation tool FOCAL.
You can find crash.json in crash.zip.
Here are details to reproduce the buffer overflow.
OS & Compiler
Ubuntu Linux 16.04 x64 and GCC 5.4.0
Build command $ LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address" make all jsondump
Run command $ ./jsondump < crash.json
Outputs
'glossar▒▒: {
': titl
=================================================================
==4148==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000f000 at pc 0x000000400e95 bp 0x7ffd518ee090 sp 0x7ffd518ee080
READ of size 4 at 0x60600000f000 thread T0
#0 0x400e94 in dump (/home/yhkim/jsmn/jsondump+0x400e94)
#1 0x40115e in dump (/home/yhkim/jsmn/jsondump+0x40115e)
#2 0x401707 in main (/home/yhkim/jsmn/jsondump+0x401707)
#3 0x7fec0954182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x400ca8 in _start (/home/yhkim/jsmn/jsondump+0x400ca8)
0x60600000f000 is located 0 bytes to the right of 64-byte region [0x60600000efc0,0x60600000f000)
allocated by thread T0 here:
#0 0x7fec09983961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
#1 0x400d98 in realloc_it (/home/yhkim/jsmn/jsondump+0x400d98)
#2 0x4016c7 in main (/home/yhkim/jsmn/jsondump+0x4016c7)
#3 0x7fec0954182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 dump
Shadow bytes around the buggy address:
0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff9e00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==4148==ABORTING
The text was updated successfully, but these errors were encountered:
Dear Serge Zaitsev,
We have found a buffer overflow issue in jsmn.
The crash input is automatically generated by our test generation tool FOCAL.
You can find crash.json in crash.zip.
Here are details to reproduce the buffer overflow.
Ubuntu Linux 16.04 x64 and GCC 5.4.0
$ LDFLAGS="-fsanitize=address" CFLAGS="-fsanitize=address" make all jsondump$ ./jsondump < crash.jsonThe text was updated successfully, but these errors were encountered: