Coordinated Disclosure Timeline
- 2022-07-18: Report sent to the maintainer
- 2022-07-19: Maintainer has replied that the code is no longer supported and archived the repository
Summary
Stack exhaustion while parsing JSON text.
Product
Jsonxx
Tested Version
Details
Issue : Stack exhaustion while parsing JSON (GHSL-2022-049
)
The attached repro.json file causes stack overflow in ASAN build of jsonxx when passed to Object::parse
AddressSanitizer:DEADLYSIGNAL
=================================================================
==25815==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe559b7ff0 (pc 0x7f645efec7bc bp 0x60300022e1a0 sp 0x7ffe559b7ff0 T0)
#0 0x7f645efec7bc in __GI_____strtold_l_internal /build/glibc-SzIz7B/glibc-2.31/stdlib/../stdlib/strtod_l.c:509:1
#1 0x7f645f3fac1f in void std::__convert_to_v<long double>(char const*, long double&, std::_Ios_Iostate&, __locale_struct* const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xccc1f)
#2 0x7f645f459339 in std::num_get<char, std::istreambuf_iterator<char, std::char_traits<char> > >::do_get(std::istreambuf_iterator<char, std::char_traits<char> >, std::istreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, std::_Ios_Iostate&, long double&) const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x12b339)
#3 0x7f645f448462 in std::istream& std::istream::_M_extract<long double>(long double&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x11a462)
#4 0x30a2df in std::istream::operator>>(long double&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/istream:223:16
#5 0x30a2df in jsonxx::parse_number(std::istream&, long double&) /home/user/jsonxxlatest/jsonxx.cc:205:11
#6 0x30a2df in jsonxx::Value::parse(std::istream&, jsonxx::Value&) /home/user/jsonxxlatest/jsonxx.cc:377:9
#7 0x30ab8d in jsonxx::Value::parse(std::istream&) /home/user/jsonxxlatest/jsonxx.cc:1184:10
#8 0x30ab8d in jsonxx::parse_value(std::istream&, jsonxx::Value&) /home/user/jsonxxlatest/jsonxx.cc:280:18
#9 0x30ab8d in jsonxx::Array::parse(std::istream&, jsonxx::Array&) /home/user/jsonxxlatest/jsonxx.cc:427:14
...
#1468 0x30ab8d in jsonxx::Array::parse(std::istream&) /home/user/jsonxxlatest/jsonxx.cc:1146:10
#1469 0x30ab8d in jsonxx::parse_array(std::istream&, jsonxx::Array&) /home/user/jsonxxlatest/jsonxx.cc:237:18
#1470 0x30ab8d in jsonxx::Value::parse(std::istream&, jsonxx::Value&) /home/user/jsonxxlatest/jsonxx.cc:392:13
SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/stdlib/../stdlib/strtod_l.c:509:1 in __GI_____strtold_l_internal
==25815==ABORTING
Impact
This issue may lead to Denial of Service of the program using the library.
CVE
- CVE-2022-23460
Credit
This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2022-049
in any communication regarding this issue.