Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-buffer-overflow (OSS-Fuzz issue 366) #411

Closed
nlohmann opened this issue Jan 1, 2017 · 1 comment
Closed

Heap-buffer-overflow (OSS-Fuzz issue 366) #411

nlohmann opened this issue Jan 1, 2017 · 1 comment
Assignees
Labels

Comments

@nlohmann
Copy link
Owner

nlohmann commented Jan 1, 2017

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=6389881328631808

Project: json
Fuzzer: libFuzzer_json_fuzzer-parse_cbor
Fuzz target binary: fuzzer-parse_cbor
Job Type: libfuzzer_asan_json
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6020000000d1
Crash State:
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
_start

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_json&range=201612280923:201612281110

Minimized Testcase (0.00 Kb):
Download: https://clusterfuzz-external.appspot.com/download/AMIfv966Em_K8UOgnsngPWgxZ8qsH_julqkD3HcQfMo22dZ-YX0xGwy1yx2sr_OWR_Es6N15TRNpcNbERPUaO2yfCwmUMx4o6jlF_uJWXM0fnjTXqSCIVEx3KC4oSwOsIIPdcjeMNH9wQlzBEcZtR9M46kWc1fjDdyxEqi9ieUgrZFVBstgA1KqwVRjJ4B_Lspp3tKNyanvYdZYu_A74yUANK8XeW1ClnMzrkOQ_u7hfH7s1DHiH6i4TzrYrY0EKB9xZqYctrUf4V9yKKW1zmlUda0ZSMA4Inv0iWS7ox13NZgJMPdG3Yw9PWQxuiHjjfjKfLCjy5ZsD1DYPDzOVu1KRZkWlRiG4AMz64raXrrOMWg2ThjXWhMWBhrV9J1-uTWlWR1bkulo_?testcase_id=6389881328631808
�


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

Input: 0x7f

=================================================================
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d1 at pc 0x00000051e97f bp 0x7fffed42a3f0 sp 0x7fffed42a3e8
READ of size 1 at 0x6020000000d1 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x51e97e in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7325:24
#1 0x511bbc in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /src/json/src/json.hpp:7720:16
#2 0x51107e in LLVMFuzzerTestOneInput /src/json/./test/src/fuzzer-parse_cbor.cpp:34:19
#3 0x5c8878 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:541:13
#4 0x5c95d4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:492:3
#5 0x559eb7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:267:6
#6 0x562023 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:485:9
#7 0x558318 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#8 0x7f2164b0182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x41b978 in _start (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_json_26b1464c0c18fac23c49bf26ed996090f90e682a/revisions/fuzzer-parse_cbor+0x41b978)
@nlohmann
Copy link
Owner Author

nlohmann commented Jan 1, 2017

Diagnosis: 0x7f is an UTF-8 string of undetermined length which was never closed.

@nlohmann nlohmann self-assigned this Jan 1, 2017
nlohmann added a commit that referenced this issue Jan 1, 2017
@nlohmann nlohmann added this to the Release 2.0.10 milestone Jan 1, 2017
@nlohmann nlohmann closed this as completed Jan 2, 2017
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant