skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
September 9, 2022

GHSL-2022-048: Double free in jsonxx - CVE-2022-23459

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

Double free or Use after Free in Value class

Product

Jsonxx

Tested Version

Latest from master branch

Details

Issue: double free on Value assignment (GHSL-2022-048)

Value uses default assignment operator, while it has pointer members. In certain use case scenarios it may lead to double free or use after free memory corruption.

PoC:

Object *o1(new Object), *o2(new Object);
o1->parse("{\"a\":\"test\"}");
o2->parse(input);
if (o2->has<string>("a")) {
    (*o1->kv_map().at("a")) = (*o2->kv_map().at("a"));
}
delete o1;
o2->kv_map().at("a"); // Use after free
delete o2; // Double free

Impact

This issue may allow an attacker to execute arbitrary code.

CVE

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-048 in any communication regarding this issue.