When rendering JSONB back into text JSON, report an error if a zero-length

integer or floating-point node is encountered.  Otherwise, if the node occurs
at the very end of the JSONB, the rendering logic might read one byte past
the end of the initialized part of the BLOB byte array.  OSSFuzz 66284.

FossilOrigin-Name: 3ab08ac75d97ffd9920f5c924362a4819560b40faa8a4f9100068057f5fa420a

diff --git a/manifest b/manifest
index 1c46c1d8d784176a816b46acd8f66bf5a2d89956..4477864cb9bf3bd0a5487c5988e47803f1e80ebe 100644 (file)
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Automatically\sdisable\sthe\sDISTINCT\soptimization\sduring\squery\splanning\sif\sthe\nORDER\sBY\sclause\sexceeds\s63\sterms.
-D 2024-01-28T17:44:47.120
+C When\srendering\sJSONB\sback\sinto\stext\sJSON,\sreport\san\serror\sif\sa\szero-length\ninteger\sor\sfloating-point\snode\sis\sencountered.\s\sOtherwise,\sif\sthe\snode\soccurs\nat\sthe\svery\send\sof\sthe\sJSONB,\sthe\srendering\slogic\smight\sread\sone\sbyte\spast\nthe\send\sof\sthe\sinitialized\spart\sof\sthe\sBLOB\sbyte\sarray.\s\sOSSFuzz\s66284.
+D 2024-01-29T12:58:12.455
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
 F LICENSE.md df5091916dbb40e6e9686186587125e1b2ff51f022cc334e886c19a0e9982724
@@ -697,7 +697,7 @@ F src/hash.h 3340ab6e1d13e725571d7cee6d3e3135f0779a7d8e76a9ce0a85971fa3953c51
 F src/hwtime.h f9c2dfb84dce7acf95ce6d289e46f5f9d3d1afd328e53da8f8e9008e3b3caae6
 F src/in-operator.md 10cd8f4bcd225a32518407c2fb2484089112fd71
 F src/insert.c 3f0a94082d978bbdd33c38fefea15346c6c6bffb70bc645a71dc0f1f87dd3276
-F src/json.c 19d96d7cae66e9b78b4ef98203e9fd916e35d20f5c8c85f079b66bd883fc9533
+F src/json.c a66722d3de25aa1ed8ff0570642f92ee6a1fb12dc3d1be3ea8d15ce734370abd
 F src/legacy.c d7874bc885906868cd51e6c2156698f2754f02d9eee1bae2d687323c3ca8e5aa
 F src/loadext.c 7432c944ff197046d67a1207790a1b13eec4548c85a9457eb0896bb3641dfb36
 F src/main.c 438b95162acfa17b7d218f586f5bde11d6ae82bcf030c9611fc537556870ad6b
@@ -2159,9 +2159,9 @@ F vsixtest/vsixtest.tcl 6a9a6ab600c25a91a7acc6293828957a386a8a93
 F vsixtest/vsixtest.vcxproj.data 2ed517e100c66dc455b492e1a33350c1b20fbcdc
 F vsixtest/vsixtest.vcxproj.filters 37e51ffedcdb064aad6ff33b6148725226cd608e
 F vsixtest/vsixtest_TemporaryKey.pfx e5b1b036facdb453873e7084e1cae9102ccc67a0
-P 593d6a1c2e9256d797f160e867278414e882a3d04d7fea269bea86965eaa7576
-Q +d4c193f0b49f4950b20c2f0e6aa037d2ed7d8c0b4687c14923b3a0d0d4a1b3fd
-R ca3283f0789d8e4b41a57bb59df1a9ad
+P 6edbdcc02d18727f68f0236e15dde4ecfc77e6f452b522eb4e1e895929b1fb63
+Q +b0eb279ea83c1c788c39fb90e178ec99fa4c782195c376a420c661fedf4545a7
+R 9465601f58e48e1bd5fa8d9687525e63
 U drh
-Z 2b9e32c39e2bfe542af85a77c540b8a3
+Z c2277fe1451981291fc69a30119dac3b
 # Remove this line to create a well-formed Fossil manifest.

diff --git a/manifest.uuid b/manifest.uuid
index 0680b6d84ced46abbe7a3442dd5dbd44808a8e18..1e930e4e2dd5c75e9dece9eec3cc19aa0be161e2 100644 (file)
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-6edbdcc02d18727f68f0236e15dde4ecfc77e6f452b522eb4e1e895929b1fb63
\ No newline at end of file
+3ab08ac75d97ffd9920f5c924362a4819560b40faa8a4f9100068057f5fa420a
\ No newline at end of file

diff --git a/src/json.c b/src/json.c
index 34ea058c1da422d53d5de4ae73224de4e085804b..bfce94b153875f1fc79ea58c10ff110f7f32c79d 100644 (file)
--- a/src/json.c
+++ b/src/json.c
@@ -2123,6 +2123,7 @@ static u32 jsonTranslateBlobToText(
     }
     case JSONB_INT:
     case JSONB_FLOAT: {
+      if( sz==0 ) goto malformed_jsonb;
       jsonAppendRaw(pOut, (const char*)&pParse->aBlob[i+n], sz);
       break;
     }
@@ -2131,6 +2132,7 @@ static u32 jsonTranslateBlobToText(
       sqlite3_uint64 u = 0;
       const char *zIn = (const char*)&pParse->aBlob[i+n];
       int bOverflow = 0;
+      if( sz==0 ) goto malformed_jsonb;
       if( zIn[0]=='-' ){
         jsonAppendChar(pOut, '-');
         k++;
@@ -2153,6 +2155,7 @@ static u32 jsonTranslateBlobToText(
     case JSONB_FLOAT5: { /* Float literal missing digits beside "." */
       u32 k = 0;
       const char *zIn = (const char*)&pParse->aBlob[i+n];
+      if( sz==0 ) goto malformed_jsonb;
       if( zIn[0]=='-' ){
         jsonAppendChar(pOut, '-');
         k++;
@@ -2290,6 +2293,7 @@ static u32 jsonTranslateBlobToText(
     }
 
     default: {
+      malformed_jsonb:
       pOut->eErr |= JSTRING_MALFORMED;
       break;
     }