From 2add3abc9ed62ad046e94ad06040239a8f5b88e3 Mon Sep 17 00:00:00 2001 From: orri Date: Tue, 30 Apr 2024 09:46:17 +0000 Subject: [PATCH 1/2] Add test for heap buffer overflow From #800 --- tests/parse_examples.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/parse_examples.c b/tests/parse_examples.c index 95a09590..d35d6cfb 100644 --- a/tests/parse_examples.c +++ b/tests/parse_examples.c @@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void) } } +/* Address Sanitizer */ +static void test15_should_not_heap_buffer_overflow(void) +{ + const char *strings[] = { + "{\"1\":1,", + "{\"1\":1, ", + }; + + size_t i; + + for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1) + { + const char *json_string = strings[i]; + size_t len = strlen(json_string); + cJSON *json = NULL; + + char *exact_size_heap = (char*)malloc(len); + TEST_ASSERT_NOT_NULL(exact_size_heap); + + memcpy(exact_size_heap, json_string, len); + json = cJSON_ParseWithLength(exact_size_heap, len); + + cJSON_Delete(json); + free(exact_size_heap); + } +} + int CJSON_CDECL main(void) { UNITY_BEGIN(); @@ -267,5 +294,6 @@ int CJSON_CDECL main(void) RUN_TEST(test12_should_not_be_parsed); RUN_TEST(test13_should_be_parsed_without_null_termination); RUN_TEST(test14_should_not_be_parsed); + RUN_TEST(test15_should_not_heap_buffer_overflow); return UNITY_END(); } From c39043866aaef2e599045b2c04936b247f84d82d Mon Sep 17 00:00:00 2001 From: orri Date: Tue, 30 Apr 2024 09:50:19 +0000 Subject: [PATCH 2/2] Fix heap buffer overflow Fixes #800 --- cJSON.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cJSON.c b/cJSON.c index 4f5b38dc..97564bb0 100644 --- a/cJSON.c +++ b/cJSON.c @@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu current_item = new_item; } + if (cannot_access_at_index(input_buffer, 1)) + { + goto fail; /* nothing comes after the comma */ + } + /* parse the name of the child */ input_buffer->offset++; buffer_skip_whitespace(input_buffer);