Buffer overflow vulnerability in function json_parse_string in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

In json\_parse\_string() function of json.h(https://github.com/sheredom/json.h), there is a heap out-of-bound write. The bug can be triggered with an invocation of json\_parse\_ex() with a specific flags combination. The root cause of the vulnerability is when copying from src to data, the length of data(state.data\_size) is not taken into consideration of. This may cause EoP when using json.h as incoming json data parser.

    The flags is 0x5fd6d7d6d6247bff
    =================================================================
    ==4928==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x613000000189 at pc 0x55b62d1096ee bp 0x7ffdc2d4b010 sp 0x7ffdc2d4b008
    WRITE of size 1 at 0x613000000189 thread T0
        #0 0x55b62d1096ed in json_parse_string /home/hyrathon/Desktop/jsonh/./json.h:1540:29
        #1 0x55b62d10d6db in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1949:7
        #2 0x55b62d10c8f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
        #3 0x55b62d10d1c8 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5
        #4 0x55b62d115c85 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3
        #5 0x55b62d12c192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
        #6 0x7fb9e4174d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #7 0x7fb9e4174e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #8 0x55b62d03a314 in _start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
    
    0x613000000189 is located 0 bytes to the right of 329-byte region [0x613000000040,0x613000000189)
    allocated by thread T0 here:
        #0 0x55b62d0bd15e in __interceptor_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
        #1 0x55b62d114f15 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18
        #2 0x55b62d12c192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
        #3 0x7fb9e4174d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1540:29 in json_parse_string
    Shadow bytes around the buggy address:
      0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c267fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c267fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c267fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c267fff8030: 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c267fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==4928==ABORTING
    

    #0  json_parse_string (state=0x7fffffffc700, string=0x613000000158) at ./json.h:1540
    #1  0x000055555565a6dc in json_parse_value (state=0x7fffffffc700, is_global_object=0, value=0x613000000130) at ./json.h:1949
    #2  0x00005555556598f1 in json_parse_object (state=0x7fffffffc700, is_global_object=1, object=0x613000000068) at ./json.h:1719
    #3  0x000055555565a1c9 in json_parse_value (state=0x7fffffffc700, is_global_object=4, value=0x613000000040) at ./json.h:1940
    #4  0x0000555555662c86 in json_parse_ex (src=0x7fffffffcb48, src_size=35, flags_bitset=6905944396334922751, alloc_func_ptr=0x0, user_data=0x0, result=0x7fffffffdbc0) at ./json.h:2129
    #5  0x0000555555679193 in main (argc=2, argv=0x7fffffffde08) at fuzz.c:29
    #6  0x00007ffff7ca3d90 in __libc_start_call_main (main=main@entry=0x555555678e30 <main>, argc=argc@entry=2, argv=argv@entry=0x7fffffffde08) at ../sysdeps/nptl/libc_start_call_main.h:58
    #7  0x00007ffff7ca3e40 in __libc_start_main_impl (main=0x555555678e30 <main>, argc=2, argv=0x7fffffffde08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffddf8) at ../csu/libc-start.c:392
    #8  0x0000555555587315 in _start ()
    

The input to trigger this bug is attached. The first 8 bytes are the flags for json_parse_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

Also, you can always use the code below to reproduce the vulnerabilities I reported(and I won't attach it in each report for simplicity:

#include <stdint.h\>
#include <string.h\>
#include <stdlib.h\>
#include <stdio.h\>
#include "json.h"

#define BUFF\_SIZE 0x1000

int main(int argc, char\*\* argv){
    if(argc != 2){
        printf("Wrong number of arguments\\n");
        exit(0);
    }

    char data\[BUFF\_SIZE\];
    FILE \*f = fopen(argv\[1\], "r");
    size\_t size = fread(data, 1, BUFF\_SIZE, f);

    if(size < sizeof(size\_t)){
        // to short input, exit
        exit(0);
    }
    size\_t flags = \*((size\_t \*)data);

    printf("The flags is 0x%zx\\n", flags);

    struct json\_parse\_result\_s result;

    json\_parse\_ex(data + sizeof(size\_t), size - sizeof(size\_t), flags, NULL, NULL, &result);
}

CVE-2022-45496: Heap Overflow in json.h(json_parse_string())

Buffer overflow vulnerability in function json_parse_key in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

Heap Overflow in json\_parse\_key()  
In json\_parse\_key(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json\_parse\_ex() with specific flags combination. The root cause of this vulnerability is that the parameter string transferred to json\_parse\_key() is not properly sanitized, and it is pointed to out-of-bound position assigned by upper layer function.

Here is the output of Google ASAN when the vulnerability is triggerred:

**The flags is 0xd6d7d6d6247bff7f**

\==5286==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61f000000c58 at pc 0x5651b3173086 bp 0x7ffcafde8e10 sp 0x7ffcafde8e08  
WRITE of size 8 at 0x61f000000c58 thread T0  
#0 0x5651b3173085 in json\_parse\_key /home/hyrathon/Desktop/jsonh/./json.h:1576:22  
#1 0x5651b3174e8b in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1694:11  
#2 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#3 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#4 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#5 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#6 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#7 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#8 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#9 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#10 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#11 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#12 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#13 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#14 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#15 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#16 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#17 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#18 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#19 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#20 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#21 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#22 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#23 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#24 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#25 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#26 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#27 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#28 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#29 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#30 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#31 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#32 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#33 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#34 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#35 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#36 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#37 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#38 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#39 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#40 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#41 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#42 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#43 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#44 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#45 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#46 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#47 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#48 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#49 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#50 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#51 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#52 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#53 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#54 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#55 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#56 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#57 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#58 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#59 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#60 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#61 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#62 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#63 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#64 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#65 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#66 0x5651b3176ad9 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1955:7  
#67 0x5651b317ad4b in json\_parse\_array /home/hyrathon/Desktop/jsonh/./json.h:1809:5  
#68 0x5651b3176ed5 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1962:7  
#69 0x5651b31758f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#70 0x5651b31761c8 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5  
#71 0x5651b317ec85 in json\_parse\_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3  
#72 0x5651b3195192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5  
#73 0x7f1945b88d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16  
#74 0x7f1945b88e3f in \_\_libc\_start\_main csu/../csu/libc-start.c:392:3  
#75 0x5651b30a3314 in \_start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)

0x61f000000c58 is located 14 bytes to the right of 3018-byte region \[0x61f000000080,0x61f000000c4a)  
allocated by thread T0 here:  
#0 0x5651b312615e in \_\_interceptor\_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)  
#1 0x5651b317df15 in json\_parse\_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18  
#2 0x5651b3195192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5  
#3 0x7f1945b88d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1576:22 in json\_parse\_key  
Shadow bytes around the buggy address:  
0x0c3e7fff8130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c3e7fff8140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c3e7fff8150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c3e7fff8160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c3e7fff8170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c3e7fff8180: 00 00 00 00 00 00 00 00 00 02 fa\[fa\]fa fa fa fa  
0x0c3e7fff8190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c3e7fff81a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c3e7fff81b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c3e7fff81c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c3e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==5286==ABORTING  
The input to trigger this bug is attached. The first 8 bytes are the flags for json\_parse\_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

Version: latest commit (sheredom/json.h@bdcf2e1)

Also I will attach another input that can trigger similar bug in json\_parse\_key().  
crash-another.zip

CVE-2022-45493: Heap Overflow in json.h(json_parse_key())

Buffer overflow vulnerability in function json_parse_number in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

Heap Overflow in json\_parse\_number()  
In json\_parse\_number(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json\_parse\_ex() with specific flags combination. The root cause of this vulnerability is that the parameter number transferred to json\_parse\_number() is not properly sanitized, and it is pointed to out-of-bound position assigned by upper layer function.

Here is the output of Google ASAN when the vulnerability is triggerred:

**The flags is 0x5fd6d79cd6247bff**

\==5128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001c0 at pc 0x560f532c646f bp 0x7ffc97871f80 sp 0x7ffc97871f78  
WRITE of size 8 at 0x6140000001c0 thread T0  
#0 0x560f532c646e in json\_parse\_number /home/hyrathon/Desktop/jsonh/./json.h:1839:18  
#1 0x560f532c22d1 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1980:7  
#2 0x560f532c08f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#3 0x560f532c11c8 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5  
#4 0x560f532c9c85 in json\_parse\_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3  
#5 0x560f532e0192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5  
#6 0x7f65c9a20d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16  
#7 0x7f65c9a20e3f in \_\_libc\_start\_main csu/../csu/libc-start.c:392:3  
#8 0x560f531ee314 in \_start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)

0x6140000001c4 is located 0 bytes to the right of 388-byte region \[0x614000000040,0x6140000001c4)  
allocated by thread T0 here:  
#0 0x560f5327115e in \_\_interceptor\_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)  
#1 0x560f532c8f15 in json\_parse\_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18  
#2 0x560f532e0192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5  
#3 0x7f65c9a20d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1839:18 in json\_parse\_number  
Shadow bytes around the buggy address:  
0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c287fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00  
0x0c287fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c287fff8030: 00 00 00 00 00 00 00 00\[04\]fa fa fa fa fa fa fa  
0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==5128==ABORTING  
The input to trigger this bug is attached. The first 8 bytes are the flags for json\_parse\_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

Version: latest commit (sheredom/json.h@bdcf2e1)

crash-input.zip

CVE-2022-45492: Heap Overflow in json.h(json_parse_number())

Buffer overflow vulnerability in function json_parse_value in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

In json_parse_value(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json_parse_ex() with specific flags combination. The root cause of this vulnerability is that the value transferred to json_parse_value() is not properly sanitized, and it is pointed to out-of-bound position.

    The flags is 0x5fd6d7d6d6247b16
    =================================================================
    ==5035==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000110 at pc 0x5615f43f0b7e bp 0x7ffc2be6fcd0 sp 0x7ffc2be6fcc8
    WRITE of size 8 at 0x611000000110 thread T0
        #0 0x5615f43f0b7d in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1959:19
        #1 0x5615f43ef8f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
        #2 0x5615f43f01c8 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5
        #3 0x5615f43f8c85 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3
        #4 0x5615f440f192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
        #5 0x7fee4e17bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #6 0x7fee4e17be3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #7 0x5615f431d314 in _start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
    
    0x611000000111 is located 0 bytes to the right of 209-byte region [0x611000000040,0x611000000111)
    allocated by thread T0 here:
        #0 0x5615f43a015e in __interceptor_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
        #1 0x5615f43f7f15 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18
        #2 0x5615f440f192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
        #3 0x7fee4e17bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1959:19 in json_parse_value
    Shadow bytes around the buggy address:
      0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c227fff8020: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==5035==ABORTING
    

The input to trigger this bug is attached. The first 8 bytes are the flags for json_parse_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

CVE-2022-45491: Heap Overflow in json_parse_value() · Issue #94 · sheredom/json.h

Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows attackers to cause a denial of service via crafted authenticattion file.

**Tested On:**

memcached 1.6.9

**PoC:**

a.txt

**./memcached --auth-file=input/a.txt -u root -m 1024 -p 11211**

\==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778  
WRITE of size 15 at 0x60200000009e thread T0  
#0 0x7fae5a305f9c (/lib/x86\_64-linux-gnu/libasan.so.5+0x53f9c)  
#1 0x55bca5ccaf23 in fgets /usr/include/x86\_64-linux-gnu/bits/stdio2.h:265  
#2 0x55bca5ccaf23 in authfile\_load /home/constantine/test/memcached/authfile.c:50  
#3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639  
#4 0x7fae597010b2 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x270b2)  
#5 0x55bca5c45d9d in \_start (/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region \[0x602000000090,0x60200000009e)  
allocated by thread T0 here:  
#0 0x7fae5a3bfdc6 in calloc (/lib/x86\_64-linux-gnu/libasan.so.5+0x10ddc6)  
#1 0x55bca5ccaedd in authfile\_load /home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86\_64-linux-gnu/libasan.so.5+0x53f9c)  
Shadow bytes around the buggy address:  
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00  
\=>0x0c047fff8010: fa fa 00\[06\]fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1061115==ABORTING

CVE-2021-37519: Heap buffer overflow · Issue #805 · memcached/memcached

Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers to crash the application via crafted command.

CVE-2021-36493: Stack overflow bugs in pdfimages of xpdf 4.03

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf.

**Built:**

Jun 30 2021

**Details:**

heap-based buffer overflow **mjs.c:7617** in **mjs\_set\_errorf**

**Command:**

./mjs -f Heap\_Buffer\_Overflow.js

**Result:**

\==2419050==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000178 at pc 0x55555557f3ed bp 0x7fffffffcf40 sp 0x7fffffffcf30  
READ of size 8 at 0x604000000178 thread T0  
#0 0x55555557f3ec in mjs\_set\_errorf /home/constantine/mjs/mjs.c:7617  
#1 0x555555598395 in parse\_literal /home/constantine/mjs/mjs.c:12166  
#2 0x55555559861b in parse\_call\_dot\_mem /home/constantine/mjs/mjs.c:12175  
#3 0x5555555990d3 in parse\_postfix /home/constantine/mjs/mjs.c:12209  
#4 0x55555559932c in parse\_unary /home/constantine/mjs/mjs.c:12228  
#5 0x5555555995d1 in parse\_mul\_div\_rem /home/constantine/mjs/mjs.c:12241  
#6 0x555555599ba8 in parse\_plus\_minus /home/constantine/mjs/mjs.c:12246  
#7 0x55555559a1c1 in parse\_shifts /home/constantine/mjs/mjs.c:12251  
#8 0x55555559a648 in parse\_comparison /home/constantine/mjs/mjs.c:12255  
#9 0x55555559a9bb in parse\_equality /home/constantine/mjs/mjs.c:12259  
#10 0x55555559ae46 in parse\_bitwise\_and /home/constantine/mjs/mjs.c:12264  
#11 0x55555559b3ec in parse\_bitwise\_xor /home/constantine/mjs/mjs.c:12269  
#12 0x55555559b992 in parse\_bitwise\_or /home/constantine/mjs/mjs.c:12274  
#13 0x55555559bf38 in parse\_logical\_and /home/constantine/mjs/mjs.c:12279  
#14 0x55555559c4de in parse\_logical\_or /home/constantine/mjs/mjs.c:12284  
#15 0x7fffffffdc0f (\[stack\]+0x1fc0f)

Address 0x604000000178 is a wild pointer.  
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/constantine/mjs/mjs.c:7617 in mjs\_set\_errorf  
Shadow bytes around the buggy address:  
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00  
0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]  
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==2419050==ABORTING

**PoC:**

Heap\_Buffer\_Overflow.js.tar.gz

CVE-2021-36535: Heap-based Buffer Overflow Vulnerability · Issue #175 · cesanta/mjs

Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0 fixed in v1.1.1 allows an attacker to execute arbitrary code via the json_value_parse function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-23088: heap-buffer-overflow at json_value_parse · Issue #7 · Barenboim/json-parser

Buffer OverFlow Vulnerability in MojoJson v1.2.3 allows an attacker to execute arbitrary code via the SkipString function.

CVE-2023-23086: heap-buffer-overflow in func SkipString · Issue #2 · scottcgi/MojoJson

Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.

Tag

#buffer_overflow