Recent changes to bugs

NULL pointer dereference in mjson 1.7

Yunho Kim — Tue, 11 Sep 2018 00:59:38 -0000

Dear Ruimaciel,
We have found a NULL pointer dereference issue in mjson.
The crash input is automatically generated by our test generation tool FOCAL.
You can find jsonparser.c in the attachment.

Here are details to reproduce the buffer overflow.
- OS & Compiler
Ubuntu Linux 16.04 x64 and GCC 5.4.0
- Build command
$ CFLAGS="-fsanitize=address" ./configure && make clean all
$ gcc -fsanitize=address -o jsonparser2 jsonparser.c -Isrc src/.libs/libmjson.a
- Run command
$ echo "abc"|./jsonparser
- Outputs
```
Some error occurred: 4
ASAN:SIGSEGV
=================================================================
==28253==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000411ded bp 0x7ffc323e2940 sp 0x7ffc323e2910 T0)
#0 0x411dec (/home/yhkim/json-1.7.0/jsonparser+0x411dec)
#1 0x411f74 (/home/yhkim/json-1.7.0/jsonparser+0x411f74)
#2 0x401294 (/home/yhkim/json-1.7.0/jsonparser+0x401294)
#3 0x7f97ef4a282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x401008 (/home/yhkim/json-1.7.0/jsonparser+0x401008)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==28253==ABORTING
Aborted
```

Strict-aliasing rules violations

Marc Noirot — Thu, 08 Oct 2009 10:22:07 -0000

Compiling json.c and json.h 1.1 in GCC 4.2.4 causes a certain number of warnings related to type casts into (rcstring**).
While not a bug strictly-speaking, these rule violations might prevent your code from being properly optimized on certain platforms (see http://xania.org/200712/cpp-strict-aliasing\).

These warnings can be fixed by moving the rcstring declarations into json.h and by properly using rcstring* instead of void* in the json_parsing_info and json_saxy_parser_status structures.
This also allows the removal of every cast into rcstring* and rcstring** in the code.

I have patched json.c and json.h version 1.1 for use in my flvmeta project, the changed can be seen here : http://code.google.com/p/flvmeta/source/detail?r=131

Some Unicode cause Parse Error

jerry_king_iq — Tue, 24 Mar 2009 19:24:57 -0000

1151 case 3: /*inside a JSON string: escape unicode */
1152 {
1153 assert (*text != NULL);
1154 if ((**p >= 'a') && (**p <= 'e'))
1155 {
1156 if (rcs_catc (*text, **p) != RS_OK)
1157 return LEX_MEMORY;
1158 *state = 4; /* inside a JSON string: escape unicode */
1159 }
1160 else if ((**p >= 'A') && (**p <= 'E'))
1161 {
1162 if (rcs_catc (*text, **p) != RS_OK)
1163 return LEX_MEMORY;
1164 *state = 4; /* inside a JSON string: escape unicode */
1165 }

I am not sure why here **p is compared to 'e' and 'E' but not 'f' and 'F'. My json document contains a unicode 'ò' \u00F2, the parser will return error.

incomplete lexing of numbers beginning with '0'

Markus Eisenbach — Mon, 05 May 2008 13:48:17 -0000

I noticed that numbers beginning with '0.' and '0e' are not recognized by the lexer.

These changes to json.c (rev. 118) seem to fix the problem:

1271a1272
> ++*p;
1274a1276,1283
> case 'e':
> case 'E':
> if (rcs_catc (*text, **p) != RS_OK)
> return LEX_MEMORY;
> ++*p;
> *state = 22; /* number: exp start */
> break;
>

I hope that helps, and thanks for this useful library.

Markus Eisenbach

bug in json_free_value

Anonymous — Wed, 26 Sep 2007 12:34:20 -0000

IMHO the following extract of json_free_value is wrong.

> // fixing sibling linked list connections
> if ((*value)->previous && (*value)->next)
> {
> (*value)->previous->next = (*value)->next;
> (*value)->next->previous = (*value)->previous;
> }
> if ((*value)->previous)
> {
> (*value)->previous->next = NULL;
> }
> if ((*value)->next)
> {
> (*value)->next->previous = NULL;
> }

Maybe the intended behaviour is the following one.

> // fixing sibling linked list connections
> if ((*value)->previous && (*value)->next)
> {
> (*value)->previous->next = (*value)->next;
> (*value)->next->previous = (*value)->previous;
> }
> else
> {
> if ((*value)->previous)
> {
> (*value)->previous->next = NULL;
> }
> if ((*value)->next)
> {
> (*value)->next->previous = NULL;
> }
> }

My mail: jose.bollo@tele2.fr

swprintf at json.c

Dan V. Stolyarov — Fri, 29 Jun 2007 03:58:57 -0000

In file "json.c", function "json_escape_string" (or "json_escape_to_ascii" in last SVN version), I see the following line:
swprintf (temp, 7, L"\\u%.4x\t", text[i]);
which causes a compiler warning "passing arg 2 of `swprintf' makes pointer from integer without a cast".

May be "snwpintf" was supposed to be here?