Gitiles
Code Review Sign In
gerrit.cesnet.cz / github / CESNET / libyang / 2be1d768e7a0fdc18292beb659cc46aba67cbe11^! / .
commit2be1d768e7a0fdc18292beb659cc46aba67cbe11[log] [tgz]
authorMichal Vasko <mvasko@cesnet.cz>Thu Mar 11 16:53:15 2021 +0100
committerMichal Vasko <mvasko@cesnet.cz>Mon Mar 15 14:08:30 2021 +0100
tree3299919b1a0ea29c4f5045ff09bd3ab1de26ccd0
parent8919fbd7eaefbb70bdeecb1148acdaf0f844378b [diff]
json BUGFIX invalid BMP character oob reads

The initial issue was found by OSSFuzz in lyd_parse_mem_json.
Add two variants of files that cause issues to fuzz regression tests.

Co-authored-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>

diff --git a/src/json.c b/src/json.c
index 2092a09..e460d29 100644
--- a/src/json.c
+++ b/src/json.c

@@ -153,7 +153,7 @@
     while (in[offset]) {
         if (in[offset] == '\\') {
             /* escape sequence */
-            size_t slash = offset;
+            const char *slash = &in[offset];
             uint32_t value;
             uint8_t i = 1;
 
@@ -221,7 +221,7 @@
                 offset++;
                 for (value = i = 0; i < 4; i++) {
                     if (!in[offset + i]) {
-                        LOGVAL(jsonctx->ctx, LYVE_SYNTAX, "Invalid basic multilingual plane character \"%s\".", &in[slash]);
+                        LOGVAL(jsonctx->ctx, LYVE_SYNTAX, "Invalid basic multilingual plane character \"%s\".", slash);
                         goto error;
                     } else if (isdigit(in[offset + i])) {
                         u = (in[offset + i] - '0');
@@ -243,7 +243,7 @@
             offset += i;   /* add read escaped characters */
             LY_CHECK_ERR_GOTO(ly_pututf8(&buf[len], value, &u),
                     LOGVAL(jsonctx->ctx, LYVE_SYNTAX, "Invalid character reference \"%.*s\" (0x%08x).",
-                    (int)(offset - slash), &in[slash], value),
+                    (int)(&in[offset] - slash), slash, value),
                     error);
             len += u;      /* update number of bytes in buffer */
             in += offset;  /* move the input by the processed bytes stored in the buffer ... */

diff --git a/tests/fuzz/corpus/lyd_parse_mem_json/pull1460 b/tests/fuzz/corpus/lyd_parse_mem_json/pull1460
new file mode 100644
index 0000000..66bc72f
--- /dev/null
+++ b/tests/fuzz/corpus/lyd_parse_mem_json/pull1460

@@ -0,0 +1 @@
+"viøonisionp\u\
\ No newline at end of file

diff --git a/tests/fuzz/corpus/lyd_parse_mem_json/pull1460_2 b/tests/fuzz/corpus/lyd_parse_mem_json/pull1460_2
new file mode 100644
index 0000000..1df63c8
--- /dev/null
+++ b/tests/fuzz/corpus/lyd_parse_mem_json/pull1460_2

@@ -0,0 +1 @@
+"viøonisionp\uGAAA"