-
-
Notifications
You must be signed in to change notification settings - Fork 6.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Discard optimized containers with negative counts in UBJSON/BJData (#3491,#3492,#3490) #3500
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me.
I let the fuzzer run on the now-merged branch and see no issues after letting it run for half an hour. 👍 |
I think I found another issue: In the binary reader in function string_t key = "_ArraySize_";
if (JSON_HEDLEY_UNLIKELY(!sax->start_object(3) || !sax->key(key) || !sax->start_array(dim.size())))
{
return false;
} In an example input, I get the following SAX events: <object size="3">
<key key="_ArraySize_" />
<array size="2">
<number_integer val="2148925440" />
<number_integer val="6701356247676222464" />
</array> However, the object that is started with Here is the respective input: crash.bjdata.zip I will re-run the fuzzer with the enabled assertions from #3498 and see if I can find smaller examples. |
Here is a 14 byte example:
which produces these SAX events: <array>
<object size="3">
<key key="_ArraySize_" />
<array size="2">
<number_integer val="255" />
<number_integer val="93" />
</array>
<array size="0">
</array>
</array> The more I look at it: why is there a hard-coded |
This may partially address the fuzzer errors reported in #3491, #3492 and #3490.
Specifically, the above failed fuzzer errors appear to be triggered when an ND-array optimized header contains 0 in any of the dimensional vector elements. This causes partially written objects and array constructs.
Another issue this patch fixes is related to the implementation-spec mismatch discussed in #3492 (comment)
a negative count should result in an invalid UBJSON and BJData input.