Segmentation Fault after calling cJSON_GetObjectItemCaseSensitive

[yuweol]

Hello. I think i found a bug in cJSON v1.7.8
I attached source code to replay this bug.

I used below script to build this code file. And also I built cJSON library with address sanitizer option and -m32.

clang -o bug.o -c bug.c -DCJSON_API_VISIBILITY -DCJSON_EXPORT_SYMBOLS -DENABLE_LOCALES -m32 -g -std=c89 -pedantic -Wall -Wextra -Werror -Wstrict-prototypes -Wwrite-strings -Wshadow -Winit-self -Wcast-align -Wformat=2 -Wmissing-prototypes -Wstrict-overflow=2 -Wcast-qual -Wundef -Wswitch-default -Wconversion -Wc++-compat -fstack-protector-strong -Wcomma -Wdouble-promotion -Wparentheses -Wunused-macros -Wmissing-variable-declarations -Wused-but-marked-unused -Wswitch-enum -fvisibility=hidden

clang -m32 -g -fsanitize=address -std=c89 -pedantic -Wall -Wextra -Werror -Wstrict-prototypes -Wwrite-strings -Wshadow -Winit-self -Wcast-align -Wformat=2 -Wmissing-prototypes -Wstrict-overflow=2 -Wcast-qual -Wundef -Wswitch-default -Wconversion -Wc++-compat -fstack-protector-strong -Wcomma -Wdouble-promotion -Wparentheses -Wunused-macros -Wmissing-variable-declarations -Wused-but-marked-unused -Wswitch-enum -fvisibility=hidden -Wl,-rpath,${libcjonlibrarypath} -rdynamic -lm -o bug bug.o ./libcjson.so.1.7.8

bug.zip

[FSMaxB]

Sorry for taking so long to respond.

There definitely seems to be something wrong here, although probably not in cJSON_GetObjectItemCaseSensitive but in cJSON_Parse. I will investigate this.

[FSMaxB]

Oh, now I understand. There is indeed a bug in cJSON in cJSON_GetObjectItemCaseInsensitive, but there is also a bug in your code that triggered it.

[FSMaxB]

What you are doing is calling cJSON_GetObjectItemCaseInsensitive on an array instead of an object. This is invalid because arrays don't have keys. But then cJSON passes the NULL key over to strcmp without checking first, so that is a bug in cJSON! Thanks for finding and reporting this.

[FSMaxB]

This is now fixed in 1.7.9

[nluedtke]

This was assigned CVE-2019-1010239.