Coordinated Disclosure Timeline
- 2022-07-18: Report sent to the maintainer
- 2022-07-19: Maintainer has replied that the code is no longer supported and archived the repository
Summary
Double free or Use after Free in Value class
Product
Jsonxx
Tested Version
Details
Issue: double free on Value assignment (GHSL-2022-048)
Value uses default assignment operator, while it has pointer members. In certain use case scenarios it may lead to double free or use after free memory corruption.
PoC:
Object *o1(new Object), *o2(new Object);
o1->parse("{\"a\":\"test\"}");
o2->parse(input);
if (o2->has<string>("a")) {
(*o1->kv_map().at("a")) = (*o2->kv_map().at("a"));
}
delete o1;
o2->kv_map().at("a"); // Use after free
delete o2; // Double free
Impact
This issue may allow an attacker to execute arbitrary code.
CVE
- CVE-2022-23459
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-048 in any communication regarding this issue.