-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cJSON_Parse has buffer overflow with missing comma #878
Comments
Hi @brianwyld. Thank you for your reporting. |
Attached JSON file that causes * buffer overflow* and crash on my build due to missing comma line 2 |
Looks like you are trying to parse a corrupted json with And I noticed there is a lot of content after the missing comma line 2, which I think is the root cause of overflow. Considering your json is corrupted with a missing comma, I do not have any better good idea but to validate json on the caller side. |
|
Actually cjson is implemented in this way. See while (can_access_at_index(input_buffer, 0) && (buffer_at_offset(input_buffer)[0] == ','));
if (cannot_access_at_index(input_buffer, 0) || (buffer_at_offset(input_buffer)[0] != '}'))
{
goto fail; /* expected end of object */
} As you can see, it stops parsing when a comma is missed. And it expects a '}' after it. When cjson can not find a '}', it directly go to fail section, which will handle with memory and return null. |
As for the overflow, I can not reproduce it locally. IIRC cjson does not create any buffer when parsing json, it only iterate the buffer you provide when calling |
Ok, so either there is a problem with the version bundled in zephyr 1.7.14 or there is another case... I will take a look in the code to see where the 'buffer overflow detected' log comes from and how it gets there. |
Using cJSON version 1.7.14 as bundled in the Nordic Semi SDKConnect under Zephyr.
If I try to parse using cJSON_ParseWithLength(tmp_json_buffer, load_len) for a buffer containing JSON missing the comma between items, then depending on where the item is in the overall buffer I either get a parse failure:
or a nasty
followed by a zephyr panic and a fatal error/restart.
In the first case, I have
as the end of my JSON (about 8kB's worth)
In the 2nd case its the first element...
Zephyr main stack size is configred to 64kB;
The text was updated successfully, but these errors were encountered: