cJSON
cJSON copied to clipboard
A segmentation fault in cJSON_SetValuestring
Hi,
when fuzzing cJSON library, I found a segmentation fault happened in cJSON_SetValuestring
.
If the valuestring passed to cJSON_SetValuestring
is NULL
, a null pointer dereference will happen in the following statements:
CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
···
if (object->valuestring == NULL)
{
return NULL;
}
if (strlen(valuestring) <= strlen(object->valuestring)) // null pointer dereference happens here
{
strcpy(object->valuestring, valuestring);
return object->valuestring;
}
The PoC is as follows:
cJSON *item = cJSON_CreateString("apple");
cJSON_SetValuestring(item, NULL);
The null pointer dereference happens here can potentially cause denial of service (DOS). Maybe we can check it before strlen()
, just like object->valuestring
did.