cJSON icon indicating copy to clipboard operation
cJSON copied to clipboard

Published 20 hours ago verified publisher icon DaveGamble

A segmentation fault in cJSON_SetValuestring

Open Up-wind opened this issue 4 months ago • 0 comments

Hi,

when fuzzing cJSON library, I found a segmentation fault happened in cJSON_SetValuestring.

If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen in the following statements:

CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
    ···
    if (object->valuestring == NULL)
    {
        return NULL;
    }
    if (strlen(valuestring) <= strlen(object->valuestring)) // null pointer dereference happens here
    {
        strcpy(object->valuestring, valuestring);
        return object->valuestring;
    }

The PoC is as follows:

    cJSON *item = cJSON_CreateString("apple");
    cJSON_SetValuestring(item, NULL);

The null pointer dereference happens here can potentially cause denial of service (DOS). Maybe we can check it before strlen(), just like object->valuestring did.

Up-wind avatar Mar 25 '24 12:03 Up-wind