Heap-buffer-overflow on print_string_ptr

[GPTFuzzx]

Hi .

The following libfuzzer harness for cJSON :

#include <cstdlib>
#include <cstdio>
#include <cstdint>
#include <cstring>
#include <cmath>
#include <cassert>
#include <climits>
#include <emmintrin.h>
#include <immintrin.h>
#include <algorithm>
#include <cstddef>
#include <random>
#include <ctime>
#include <memory>
#include <sys/time.h>
#include <sys/stat.h>
#include <iostream>
#include <unistd.h>
#include <fcntl.h>
#include <sstream>
#include <cstdbool>
#include <csetjmp>
#include "cJSON_Utils.h"
void custom_mutator(cJSON *item) {
    if (item == NULL) return;
    switch (item->type & 0xFF) {
        case cJSON_False:
        case cJSON_True:
            item->type ^= (cJSON_False ^ cJSON_True);
            break;
        case cJSON_Number:
            item->valuedouble += 1.0;
            item->valueint += 1;
            break;
        case cJSON_String:
            if (item->valuestring != NULL) {
                item->valuestring[0] = item->valuestring[0] + 1;
            }
            break;
        case cJSON_Array:
        case cJSON_Object:
            for (cJSON *child = item->child; child != NULL; child = child->next) {
                custom_mutator(child);
            }
            break;
        default:
            break;
    }
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
    FILE *in_file = fmemopen((void *)data, size, "rb");
    if (in_file == NULL) {
        return 0;
    }
    fseek(in_file, 0, SEEK_END);
    size_t file_size = ftell(in_file);
    fseek(in_file, 0, SEEK_SET);
    char *json_str = (char *)malloc(file_size + 1);
    if (json_str == NULL) {
        fclose(in_file);
        return 0;
    }
    fread(json_str, 1, file_size, in_file);
    json_str[file_size] = '\0';
    fclose(in_file);
    const char *parse_end = NULL;
    cJSON *json = cJSON_ParseWithLengthOpts(json_str, file_size, &parse_end, cJSON_False);
    if (json != NULL) {
        if ((json_str[0] & 1) == 0) {
            custom_mutator(json);
        }
        cJSON_AddItemToObject(json, "fuzz_key", cJSON_CreateString("fuzz_value"));
        cJSON_AddItemToArray(json, cJSON_CreateNumber(42));
        char *printed_json = cJSON_Print(json);
        if (printed_json != NULL) {
            FILE *out_file = fopen("output_file", "wb");
            if (out_file != NULL) {
                fwrite(printed_json, 1, strlen(printed_json), out_file);
                fclose(out_file);
            }
            free(printed_json);
        }
        cJSON *cloned_json = cJSON_Duplicate(json, cJSON_True);
        if (cloned_json != NULL) {
            cJSON_ReplaceItemInObject(cloned_json, "fuzz_key", cJSON_CreateNull());
            char *unformatted_str = cJSON_PrintUnformatted(cloned_json);
            if (unformatted_str != NULL) {
                free(unformatted_str);
            }
            cJSON_Delete(cloned_json);
        }
        cJSON_Delete(json);
    }
    free(json_str);
    return 0;
}

Triggered an out-of-bounds read error on print_string_ptr() function.

The Address Sanitizer stack trace :

INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 136631327
INFO: Loaded 1 modules   (1269 inline 8-bit counters): 1269 [0x562945992368, 0x56294599285d), 
INFO: Loaded 1 PC tables (1269 PCs): 1269 [0x562945992860,0x5629459977b0), 
/out/API_123_syntax_1_refined: Running 1 inputs 1 time(s) each.
Running: /out/traces/quest_154/crashes/crashcrash-0a3ba97e78e76ef6a1be90ab8ed572ebd49db737
=================================================================
==2116==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000000092 at pc 0x562945929dab bp 0x7fff2f8bf110 sp 0x7fff2f8bf108
READ of size 1 at 0x502000000092 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
    #0 0x562945929daa in print_string_ptr /src/cjson/cJSON.c:950:33
    #1 0x56294591e4eb in print_string /src/cjson/cJSON.c:1046:12
    #2 0x56294591e4eb in print_value /src/cjson/cJSON.c:1451:20
    #3 0x56294591e5cb in print_array /src/cjson/cJSON.c:1588:14
    #4 0x56294591e5cb in print_value /src/cjson/cJSON.c:1454:20
    #5 0x56294591e5cb in print_array /src/cjson/cJSON.c:1588:14
    #6 0x56294591e5cb in print_value /src/cjson/cJSON.c:1454:20
    #7 0x56294591e5cb in print_array /src/cjson/cJSON.c:1588:14
    #8 0x56294591e5cb in print_value /src/cjson/cJSON.c:1454:20
    #9 0x56294591e5cb in print_array /src/cjson/cJSON.c:1588:14
    #10 0x56294591e5cb in print_value /src/cjson/cJSON.c:1454:20
    #11 0x56294591dd2b in print /src/cjson/cJSON.c:1226:10
    #12 0x56294591ac0a in LLVMFuzzerTestOneInput /src/cjson/fuzzers/API_123_syntax_1_refined.cc:74:30
    #13 0x5629457cf300 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #14 0x5629457ba575 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #15 0x5629457c000f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #16 0x5629457eb2b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #17 0x7f01049fc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)
    #18 0x5629457b275d in _start (/out/API_123_syntax_1_refined+0x4575d)

DEDUP_TOKEN: print_string_ptr--print_string--print_value
0x502000000092 is located 0 bytes after 2-byte region [0x502000000090,0x502000000092)
allocated by thread T0 here:
    #0 0x5629458db0cf in malloc /src/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x562945928d61 in parse_string /src/cjson/cJSON.c:831:34
    #2 0x56294591c258 in parse_value /src/cjson/cJSON.c:1369:16
    #3 0x56294591ce98 in parse_array /src/cjson/cJSON.c:1526:14
    #4 0x56294591ce98 in parse_value /src/cjson/cJSON.c:1379:16
    #5 0x56294591ce98 in parse_array /src/cjson/cJSON.c:1526:14
    #6 0x56294591ce98 in parse_value /src/cjson/cJSON.c:1379:16
    #7 0x56294591ce98 in parse_array /src/cjson/cJSON.c:1526:14
    #8 0x56294591ce98 in parse_value /src/cjson/cJSON.c:1379:16
    #9 0x56294591ce98 in parse_array /src/cjson/cJSON.c:1526:14
    #10 0x56294591ce98 in parse_value /src/cjson/cJSON.c:1379:16
    #11 0x56294591bc2f in cJSON_ParseWithLengthOpts /src/cjson/cJSON.c:1140:10
    #12 0x56294591ab3f in LLVMFuzzerTestOneInput /src/cjson/fuzzers/API_123_syntax_1_refined.cc:67:19
    #13 0x5629457cf300 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:614:13
    #14 0x5629457ba575 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:327:6
    #15 0x5629457c000f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:862:9
    #16 0x5629457eb2b2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #17 0x7f01049fc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 0702430aef5fa3dda43986563e9ffcc47efbd75e)

DEDUP_TOKEN: __interceptor_malloc--parse_string--parse_value
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/cjson/cJSON.c:950:33 in print_string_ptr
Shadow bytes around the buggy address:
  0x501ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x502000000000: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x502000000080: fa fa[02]fa fa fa 00 03 fa fa 00 01 fa fa fa fa
  0x502000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2116==ABORTING

Affected cJSON commit : 12c4bf1986c288950a3d06da757109a6aa1ece38

We didn't check the latest cJSON commit to see if the same behavior is happening . If that affects the latest version as well, then a patch likely needed.

Can you please check it and apply a patch if needed ?

Thanks.

[coveyjorjet]

Could you provide the content example json_str after fread()