Security issue - double free in parse_object

[dzonerzy]

Hi during a fuzzing session using PyJFuzz, i found that is possible to trigger a double free condition when parse_object function is called, the double free happend inside parse_string, below a screenshot

Below the testcase i used to crash cJSON

[{"FsrKY7": {"xsatsIjrY": {"f4UOmTp": -59.634942997}, "qf6t2w7f0": {}, "vwY7wMW": {"mcyrBl": "X1tjR5d", "m\FsFF20": "UzbJl"}}, "FGRF1wI": {"R6KZm": 127, "jC8utX": null}, "6nrvXK9sk": {"Gj7zP": {}}}, {"V5GD8GR": -19.5946741823, "bYsh2vyhp": -24.3975015443}{"V5GD8GR": -19.5946741823, "bYsh2vyhp": 24.3975015443}, ]

and the output

I don't investigate further, so please let me know what do you think.

Best regards,
Daniele

[FSMaxB]

First of all, thanks for investing in the security of cJSON by applying fuzzing.

Currently I am unable to reproduce this with either the latest commit from master, or version 1.2.1. Cann you provide your full code for reproducing it please.

Please use attachments instead of pasting it in the issue comment.

[dzonerzy]

I clone the latest commit from master then i compile a simple test program which i'm attaching below together with the crash repro file.

files.zip

Please let me know if you need more info.

Regards,
Daniele

[FSMaxB]

I found the problem and I can reproduce it with just "\F. A fix is on the way.

[dzonerzy]

Well that's a good news, thanks for your support! awesome project

[FSMaxB]

Btw. this problem only existed on master, so v1.2.1 isn't effected.

[Poras08]

Hello Daniele, In your error at first place you are using a complex/recursive json, Can you tell how did you generate this Json.

I am also doing Fuzzing on Rest API.

Regards,
Poras

[dzonerzy]

I used PyJFuzz a tool of mine, but sadly this is now unmaintained