jansson icon indicating copy to clipboard operation
jansson copied to clipboard
verified publisher icon akheron

Handle keys longer than 2 GB

Open stoeckmann opened this issue 3 years ago • 1 comments

It is possible to trigger an out of boundary read in compare_keys while dumping json with JSON_SORT_KEYS due to a signed integer usage.

If a key is longer than 2 GB then len in key_len turns negative. The code uses the smaller value for memory comparison. Since a negative int becomes a huge size_t value, the memcmp call eventually triggers an out of boundary read.

Proof of Concept:

  1. Create a json file with two keys, one being larger than 2 GB:

echo -n '{"' > header.json dd if=/dev/zero bs=1024 count=2097153 | tr '\0' 'a' > poc.json dd if=header.json of=poc.json conv=notrunc echo -n '":"a","a":""}' >> poc.json

  1. Compile and run this proof of concept code:
 #include <jansson.h>
 #include <unistd.h>
int main(void) {
json_error_t error;
 json_t *json;
 if ((json = json_load_file("poc.json", 0, &error)) == NULL)
  return 1;
 if (json_dump_file(json, "/dev/null", JSON_SORT_KEYS))
  return 1;
 return 0;
}

Without this patch, an out of boundary read occurs.

Signed-off-by: Tobias Stoeckmann [email protected]

stoeckmann avatar May 24 '22 17:05 stoeckmann

Coverage Status

Coverage decreased (-0.2%) to 96.08% when pulling 9095b2276c6bd76c2f354d67e4927ccc4fef36ae on stoeckmann:keys into 128e9c5f376ac425f13d3b1cf9a38d53e544ad23 on akheron:master.

coveralls avatar May 24 '22 17:05 coveralls