#55 crash parsing invalid JSON string

open
nobody
None
5
2012-07-14
2012-07-14
Anonymous
No

libjson v7.6.1 [MSVC v1600 32bit (x86)] Jul 13 2012, 22:21:35
Compilation options:
JSON_DEBUG JSON_SAFE JSON_STDERROR JSON_PREPARSE
JSON_REF_COUNT JSON_BINARY JSON_ITERATORS

Parsing the (invalid) string: ["foo"
raises a "Debug Assertion Failed!" error in xstring line 78 with the message: string iterator not dereferencable.
It looks like JSONPreparse::isValidArray() is trying to read past the end of the string.

Trying to parse: {"foo"
raises a slightly different exception - string iterator not incrementable.

Discussion


  • Anonymous
    2012-07-14

    It seems this is a "feature" of the Microsoft C++ standard library - http://msdn.microsoft.com/en-us/library/aa985965. Apparently us programmers can't be trusted with our own pointers any more. I had to define both _SECURE_SCL=0 and _HAS_ITERATOR_DEBUGGING=0 and that fixed it, although I'm not sure that is the best solution. It looks like the JSONPreparse code relies on being able to dereference the NULL past the end of the string, but I'm pretty sure that the C++ standard doesn't guarantee that you can do that, so there could potentially be implementations where this would break for real.

     

  • Anonymous
    2012-07-16

    Unfortunately, defining _SECURE_SCL=0 forces the entire project to be compiled with that setting, otherwise the linker complains about symbol mismatches. This might not be acceptable to some projects. I am attaching a patch that catches the two instances that I could find in JSONPreparse where the string is read past the end.

     

  • Anonymous
    2012-07-16

    patch for JSONPreparse.cpp

     
    Attachments

  • Anonymous
    2012-07-16

    Along the same line, trying to parse: ["foo"]#bar will read past the end of string in JSONWorker.cpp in private_RemoveWhiteSpace() - I get a "Invalid JSON character detected (hi)" message when it reads a garbage char after the NULL. I am attaching another patch that fixes that.

    This method is also using string.data() instead of string.c_str() to get its pointers, but I think there are code paths in it that rely on being able to read a terminating NULL, which only c_str() guarantees.

     

  • Anonymous
    2012-07-16

    patch for JSONWorker.cpp

     
    Last edit: Anonymous 2014-10-15
    Attachments
  • Interesting :/

     
  • I couldnt stop reading this article. Its not just interesting, its written in an easy to understand manner as well as being easy to understand. Thanks for your great work!
    <a href="http://www.weddingwire.com/wedding/UserViewProfile?wid=4187fa6a34986800" title="Command">Command</a>

     
  • always a big fan of linking to bloggers that I love but dont get a lot of link love from
    <a href="http://bestuff.com/profile/bootfridge2" title="Employ">Employ</a>

     
  • Definitely, what a fantastic blog and illuminating posts, I surely will bookmark your site.Have an awsome day!
    <a href="http://www.iccup.com/dota/content/blogs/Order_The_particular_Events_With_Gorgeous_Nig.html" title="Beautiful">Beautiful</a>