GHSL-2022-049: Stack exhaustion in jsonxx - CVE-2022-23460

Coordinated Disclosure Timeline

2022-07-18: Report sent to the maintainer
2022-07-19: Maintainer has replied that the code is no longer supported and archived the repository

Summary

Stack exhaustion while parsing JSON text.

Product

Jsonxx

Tested Version

v1.0.1

Details

Issue : Stack exhaustion while parsing JSON (`GHSL-2022-049`)

The attached repro.json file causes stack overflow in ASAN build of jsonxx when passed to Object::parse

AddressSanitizer:DEADLYSIGNAL
=================================================================
==25815==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe559b7ff0 (pc 0x7f645efec7bc bp 0x60300022e1a0 sp 0x7ffe559b7ff0 T0)
    #0 0x7f645efec7bc in __GI_____strtold_l_internal /build/glibc-SzIz7B/glibc-2.31/stdlib/../stdlib/strtod_l.c:509:1
    #1 0x7f645f3fac1f in void std::__convert_to_v<long double>(char const*, long double&, std::_Ios_Iostate&, __locale_struct* const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0xccc1f)
    #2 0x7f645f459339 in std::num_get<char, std::istreambuf_iterator<char, std::char_traits<char> > >::do_get(std::istreambuf_iterator<char, std::char_traits<char> >, std::istreambuf_iterator<char, std::char_traits<char> >, std::ios_base&, std::_Ios_Iostate&, long double&) const (/lib/x86_64-linux-gnu/libstdc++.so.6+0x12b339)
    #3 0x7f645f448462 in std::istream& std::istream::_M_extract<long double>(long double&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x11a462)
    #4 0x30a2df in std::istream::operator>>(long double&) /usr/lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/istream:223:16
    #5 0x30a2df in jsonxx::parse_number(std::istream&, long double&) /home/user/jsonxxlatest/jsonxx.cc:205:11
    #6 0x30a2df in jsonxx::Value::parse(std::istream&, jsonxx::Value&) /home/user/jsonxxlatest/jsonxx.cc:377:9
    #7 0x30ab8d in jsonxx::Value::parse(std::istream&) /home/user/jsonxxlatest/jsonxx.cc:1184:10
    #8 0x30ab8d in jsonxx::parse_value(std::istream&, jsonxx::Value&) /home/user/jsonxxlatest/jsonxx.cc:280:18
    #9 0x30ab8d in jsonxx::Array::parse(std::istream&, jsonxx::Array&) /home/user/jsonxxlatest/jsonxx.cc:427:14
    ...
    #1468 0x30ab8d in jsonxx::Array::parse(std::istream&) /home/user/jsonxxlatest/jsonxx.cc:1146:10
    #1469 0x30ab8d in jsonxx::parse_array(std::istream&, jsonxx::Array&) /home/user/jsonxxlatest/jsonxx.cc:237:18
    #1470 0x30ab8d in jsonxx::Value::parse(std::istream&, jsonxx::Value&) /home/user/jsonxxlatest/jsonxx.cc:392:13

SUMMARY: AddressSanitizer: stack-overflow /build/glibc-SzIz7B/glibc-2.31/stdlib/../stdlib/strtod_l.c:509:1 in __GI_____strtold_l_internal
==25815==ABORTING

Impact

This issue may lead to Denial of Service of the program using the library.

CVE

CVE-2022-23460

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-049 in any communication regarding this issue.