Headline
CVE-2023-50471: bug for cJSON_InsertItemInArray function · Issue #802 · DaveGamble/cJSON
cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_InsertItemInArray at cJSON.c.
Description
If the the newitem passed in cJSON_InsertItemInArray dont have prev, the newitem->prevwill be null. The null pointer dereference will cause SEGV in function cJSON_InsertItemInArray cJSON.c:2287
Version
commit cb8693b058ba302f4829ec6d03f609ac6f848546 (HEAD -> master, tag: v1.7.16, origin/master, origin/HEAD)
Author: Alan Wang <[email protected]>
Date: Wed Jul 5 11:22:19 2023 +0800
Related Code
CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON *newitem) { cJSON *after_inserted = NULL;
if (which < 0)
{
return false;
}
after\_inserted \= get\_array\_item(array, (size\_t)which);
if (after\_inserted \== NULL)
{
return add\_item\_to\_array(array, newitem);
}
newitem\->next \= after\_inserted;
newitem\->prev \= after\_inserted\->prev;
after\_inserted\->prev \= newitem;
if (after\_inserted \== array\->child)
{
array\->child \= newitem;
}
else
{
newitem\->prev\->next \= newitem; // <== here
}
return true;
}
Impact
Potentially causing DoS
Related news
Ubuntu Security Notice 6784-1 - It was discovered that cJSON incorrectly handled certain input. An attacker could possibly use this issue to cause cJSON to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS and Ubuntu 23.10. Luo Jin discovered that cJSON incorrectly handled certain input. An attacker could possibly use this issue to cause cJSON to crash, resulting in a denial of service.