Buffer overflow vulnerability in function json_parse_value in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

In json_parse_value(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json_parse_ex() with specific flags combination. The root cause of this vulnerability is that the value transferred to json_parse_value() is not properly sanitized, and it is pointed to out-of-bound position.

    The flags is 0x5fd6d7d6d6247b16
    =================================================================
    ==5035==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000000110 at pc 0x5615f43f0b7e bp 0x7ffc2be6fcd0 sp 0x7ffc2be6fcc8
    WRITE of size 8 at 0x611000000110 thread T0
        #0 0x5615f43f0b7d in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1959:19
        #1 0x5615f43ef8f0 in json_parse_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5
        #2 0x5615f43f01c8 in json_parse_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5
        #3 0x5615f43f8c85 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3
        #4 0x5615f440f192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
        #5 0x7fee4e17bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #6 0x7fee4e17be3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #7 0x5615f431d314 in _start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
    
    0x611000000111 is located 0 bytes to the right of 209-byte region [0x611000000040,0x611000000111)
    allocated by thread T0 here:
        #0 0x5615f43a015e in __interceptor_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)
        #1 0x5615f43f7f15 in json_parse_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18
        #2 0x5615f440f192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5
        #3 0x7fee4e17bd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1959:19 in json_parse_value
    Shadow bytes around the buggy address:
      0x0c227fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c227fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c227fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c227fff8020: 00 00[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c227fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==5035==ABORTING
    

The input to trigger this bug is attached. The first 8 bytes are the flags for json_parse_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

CVE-2022-45491: Heap Overflow in json_parse_value() · Issue #94 · sheredom/json.h

Buffer overflow vulnerability in function json_parse_number in sheredom json.h before commit 0825301a07cbf51653882bf2b153cc81fdadf41 (November 14, 2022) allows attackers to code arbitrary code and gain escalated privileges.

Heap Overflow in json\_parse\_number()  
In json\_parse\_number(), there is a heap out-of-bound write. The bug can be triggered with an invocation of json\_parse\_ex() with specific flags combination. The root cause of this vulnerability is that the parameter number transferred to json\_parse\_number() is not properly sanitized, and it is pointed to out-of-bound position assigned by upper layer function.

Here is the output of Google ASAN when the vulnerability is triggerred:

**The flags is 0x5fd6d79cd6247bff**

\==5128==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000001c0 at pc 0x560f532c646f bp 0x7ffc97871f80 sp 0x7ffc97871f78  
WRITE of size 8 at 0x6140000001c0 thread T0  
#0 0x560f532c646e in json\_parse\_number /home/hyrathon/Desktop/jsonh/./json.h:1839:18  
#1 0x560f532c22d1 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1980:7  
#2 0x560f532c08f0 in json\_parse\_object /home/hyrathon/Desktop/jsonh/./json.h:1719:5  
#3 0x560f532c11c8 in json\_parse\_value /home/hyrathon/Desktop/jsonh/./json.h:1940:5  
#4 0x560f532c9c85 in json\_parse\_ex /home/hyrathon/Desktop/jsonh/./json.h:2129:3  
#5 0x560f532e0192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5  
#6 0x7f65c9a20d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16  
#7 0x7f65c9a20e3f in \_\_libc\_start\_main csu/../csu/libc-start.c:392:3  
#8 0x560f531ee314 in \_start (/home/hyrathon/Desktop/jsonh/san+0x33314) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)

0x6140000001c4 is located 0 bytes to the right of 388-byte region \[0x614000000040,0x6140000001c4)  
allocated by thread T0 here:  
#0 0x560f5327115e in \_\_interceptor\_malloc (/home/hyrathon/Desktop/jsonh/san+0xb615e) (BuildId: a0e983e1c9c38a8763824dc5481f79d22fe8c82a)  
#1 0x560f532c8f15 in json\_parse\_ex /home/hyrathon/Desktop/jsonh/./json.h:2088:18  
#2 0x560f532e0192 in main /home/hyrathon/Desktop/jsonh/fuzz.c:29:5  
#3 0x7f65c9a20d8f in \_\_libc\_start\_call\_main csu/../sysdeps/nptl/libc\_start\_call\_main.h:58:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hyrathon/Desktop/jsonh/./json.h:1839:18 in json\_parse\_number  
Shadow bytes around the buggy address:  
0x0c287fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c287fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c287fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00  
0x0c287fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c287fff8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c287fff8030: 00 00 00 00 00 00 00 00\[04\]fa fa fa fa fa fa fa  
0x0c287fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c287fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
\==5128==ABORTING  
The input to trigger this bug is attached. The first 8 bytes are the flags for json\_parse\_ex() and the rest is the content(src). Please use address sanitizer to reproduce the bug, as non-crash overflow is hard to detect or locate without shadow memory.

Version: latest commit (sheredom/json.h@bdcf2e1)

crash-input.zip

CVE-2022-45492: Heap Overflow in json.h(json_parse_number())

Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows attackers to cause a denial of service via crafted authenticattion file.

**Tested On:**

memcached 1.6.9

**PoC:**

a.txt

**./memcached --auth-file=input/a.txt -u root -m 1024 -p 11211**

\==1061115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000009e at pc 0x7fae5a305f9d bp 0x7ffee16f4fd0 sp 0x7ffee16f4778  
WRITE of size 15 at 0x60200000009e thread T0  
#0 0x7fae5a305f9c (/lib/x86\_64-linux-gnu/libasan.so.5+0x53f9c)  
#1 0x55bca5ccaf23 in fgets /usr/include/x86\_64-linux-gnu/bits/stdio2.h:265  
#2 0x55bca5ccaf23 in authfile\_load /home/constantine/test/memcached/authfile.c:50  
#3 0x55bca5c3ffb5 in main /home/constantine/test/memcached/memcached.c:5639  
#4 0x7fae597010b2 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x270b2)  
#5 0x55bca5c45d9d in \_start (/home/constantine/test/memcached/memcached+0x26d9d)

0x60200000009e is located 0 bytes to the right of 14-byte region \[0x602000000090,0x60200000009e)  
allocated by thread T0 here:  
#0 0x7fae5a3bfdc6 in calloc (/lib/x86\_64-linux-gnu/libasan.so.5+0x10ddc6)  
#1 0x55bca5ccaedd in authfile\_load /home/constantine/test/memcached/authfile.c:44

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib/x86\_64-linux-gnu/libasan.so.5+0x53f9c)  
Shadow bytes around the buggy address:  
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c047fff8000: fa fa 00 04 fa fa 00 00 fa fa 00 00 fa fa 00 00  
\=>0x0c047fff8010: fa fa 00\[06\]fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1061115==ABORTING

CVE-2021-37519: Heap buffer overflow · Issue #805 · memcached/memcached

Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1.0 fixed in v1.1.1 allows an attacker to execute arbitrary code via the json_value_parse function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-23088: heap-buffer-overflow at json_value_parse · Issue #7 · Barenboim/json-parser

Buffer OverFlow Vulnerability in MojoJson v1.2.3 allows an attacker to execute arbitrary code via the SkipString function.

CVE-2023-23086: heap-buffer-overflow in func SkipString · Issue #2 · scottcgi/MojoJson

Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf.

**Built:**

Jun 30 2021

**Details:**

heap-based buffer overflow **mjs.c:7617** in **mjs\_set\_errorf**

**Command:**

./mjs -f Heap\_Buffer\_Overflow.js

**Result:**

\==2419050==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000178 at pc 0x55555557f3ed bp 0x7fffffffcf40 sp 0x7fffffffcf30  
READ of size 8 at 0x604000000178 thread T0  
#0 0x55555557f3ec in mjs\_set\_errorf /home/constantine/mjs/mjs.c:7617  
#1 0x555555598395 in parse\_literal /home/constantine/mjs/mjs.c:12166  
#2 0x55555559861b in parse\_call\_dot\_mem /home/constantine/mjs/mjs.c:12175  
#3 0x5555555990d3 in parse\_postfix /home/constantine/mjs/mjs.c:12209  
#4 0x55555559932c in parse\_unary /home/constantine/mjs/mjs.c:12228  
#5 0x5555555995d1 in parse\_mul\_div\_rem /home/constantine/mjs/mjs.c:12241  
#6 0x555555599ba8 in parse\_plus\_minus /home/constantine/mjs/mjs.c:12246  
#7 0x55555559a1c1 in parse\_shifts /home/constantine/mjs/mjs.c:12251  
#8 0x55555559a648 in parse\_comparison /home/constantine/mjs/mjs.c:12255  
#9 0x55555559a9bb in parse\_equality /home/constantine/mjs/mjs.c:12259  
#10 0x55555559ae46 in parse\_bitwise\_and /home/constantine/mjs/mjs.c:12264  
#11 0x55555559b3ec in parse\_bitwise\_xor /home/constantine/mjs/mjs.c:12269  
#12 0x55555559b992 in parse\_bitwise\_or /home/constantine/mjs/mjs.c:12274  
#13 0x55555559bf38 in parse\_logical\_and /home/constantine/mjs/mjs.c:12279  
#14 0x55555559c4de in parse\_logical\_or /home/constantine/mjs/mjs.c:12284  
#15 0x7fffffffdc0f (\[stack\]+0x1fc0f)

Address 0x604000000178 is a wild pointer.  
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/constantine/mjs/mjs.c:7617 in mjs\_set\_errorf  
Shadow bytes around the buggy address:  
0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c087fff8000: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00  
0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]  
0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==2419050==ABORTING

**PoC:**

Heap\_Buffer\_Overflow.js.tar.gz

CVE-2021-36535: Heap-based Buffer Overflow Vulnerability · Issue #175 · cesanta/mjs

Buffer Overflow vulnerability in pdfimages in xpdf 4.03 allows attackers to crash the application via crafted command.

CVE-2021-36493: Stack overflow bugs in pdfimages of xpdf 4.03

Buffer Overflow vulnerability in HDFGroup hdf5-h5dump 1.12.0 through 1.13.0 allows attackers to cause a denial of service via h5tools_str_sprint in /hdf5/tools/lib/h5tools_str.c.

CVE-2021-37501: Something_Found/HDF5_v1.13.0_h5dump_heap_overflow.md at main · ST4RF4LL/Something_Found

Ubuntu Security Notice 5841-1 - It was discovered that LibTIFF incorrectly handled certain malformed images. If a user or automated system were tricked into opening a specially crafted image, a remote attacker could crash the application, leading to a denial of service, or possibly execute arbitrary code with user privileges. This issue was only fixed in Ubuntu 14.04 ESM. It was discovered that LibTIFF was incorrectly accessing a data structure when processing data with the tiffcrop tool, which could lead to a heap buffer overflow. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-5841-1February 02, 2023tiff vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 16.04 ESM- Ubuntu 14.04 ESMSummary:Several security issues were fixed in LibTIFF.Software Description:- tiff: Tag Image File Format (TIFF) libraryDetails:It was discovered that LibTIFF incorrectly handled certain malformedimages. If a user or automated system were tricked into opening aspecially crafted image, a remote attacker could crash the application,leading to a denial of service, or possibly execute arbitrary code withuser privileges. This issue was only fixed in Ubuntu 14.04 ESM.(CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,CVE-2022-3970)It was discovered that LibTIFF was incorrectly acessing a data structurewhen processing data with the tiffcrop tool, which could lead to a heapbuffer overflow. An attacker could possibly use this issue to cause adenial of service or execute arbitrary code. (CVE-2022-48281)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 16.04 ESM:   libtiff-tools                   4.0.6-1ubuntu0.8+esm9   libtiff5                        4.0.6-1ubuntu0.8+esm9Ubuntu 14.04 ESM:   libtiff-tools                   4.0.3-7ubuntu0.11+esm6   libtiff5                        4.0.3-7ubuntu0.11+esm6In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-5841-1   CVE-2019-14973, CVE-2019-17546, CVE-2020-35523, CVE-2020-35524,   CVE-2022-3970, CVE-2022-48281

Ubuntu Security Notice USN-5841-1

sprintf in the GNU C Library (glibc) 2.37 has a buffer overflow (out-of-bounds write) in some situations with a correct buffer size. This is unrelated to CWE-676. It may write beyond the bounds of the destination buffer when attempting to write a padded, thousands-separated string representation of a number, if the buffer is allocated the exact size required to represent that number as a string. For example, 1,234,567 (with padding to 13) overflows by two bytes.

'30068?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

Tag

#buffer_overflow