]> git.ipfire.org Git - thirdparty/json-c.git/commit
projects / thirdparty / json-c.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6bd86d1) | patch
Fix stack buffer overflow in json_object_double_to_json_string_format() 325/head
authorEven Rouault <even.rouault@spatialys.com>
Thu, 18 May 2017 20:36:35 +0000 (22:36 +0200)
committerEven Rouault <even.rouault@spatialys.com>
Thu, 18 May 2017 20:36:35 +0000 (22:36 +0200)
commit2c2deb87f82149a78de9097c71607ea73100bca7
tree0d9a2ce9efce11d664321757e34076e073dce8d5tree
parent6bd86d1044f62ad3c06209842eda2caaa6c2214bcommit | diff
Fix stack buffer overflow in json_object_double_to_json_string_format()

Issue originally found in the json-c 0.11 internal copy in GDAL but also found
in latest git version.

If doing things like
json_object* obj = json_object_new_double(1e300);
json_object_set_serializer(obj, json_object_double_to_json_string, "%f", NULL);
json_object_to_json_string(obj)

    size = snprintf(buf, sizeof(buf),
        format ? format :
          (modf(jso->o.c_double, &dummy) == 0) ? "%.17g.0" : "%.17g",
          jso->o.c_double);
will return a value greater than 128 since at least 300 characters are needed.
This value is then passed to printbuf_memappend(pb, buf, size); that tries to
read size bytes in buf.

So we should clamp size to sizeof(buf). And on Windows, _snprintf() returns -1
in that situation, so deal also with this case.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1682
Credit to OSS-Fuzz
json_object.c diff | blob | blame | history
Mirror of https://github.com/json-c/json-c.git