Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Theoretical null pointer dereference in cJSONUtils_InplaceDecodePointerString() from cJSONUtils_PatchDetach() #96

Closed
bnason-nf opened this issue Jan 30, 2017 · 2 comments
Closed

Theoretical null pointer dereference in cJSONUtils_InplaceDecodePointerString() from cJSONUtils_PatchDetach() #96

bnason-nf opened this issue Jan 30, 2017 · 2 comments

Comments

@bnason-nf
Copy link
Contributor

Hi,

I ran the clang static analyzer on cJSON and it found this potential issue:

Event 1: Logic error: Dereference of null pointer (loaded from variable 'string') (3rdparty/cjson/cjson_utils.c:211)
3rdparty/cjson/cjson_utils.c

   197            }
   198            else
   199            {
   200                return NULL;
   201            }
   202        }
   203    
   204        return object;
   205    }
   206    
   207    /* JSON Patch implementation. */
   208    static void cJSONUtils_InplaceDecodePointerString(char *string)
   209    {
   210        char *s2 = string;
   211        for (; *string; s2++, string++)
                     ^ Logic error: Dereference of null pointer (loaded from variable 'string')
   212        {
   213            *s2 = (*string != '~')
   214                ? (*string)
   215                : ((*(++string) == '0')
   216                        ? '~'
   217                        : '/');
   218        }
   219    
   220        *s2 = '\0';
   221    }
   222    
   223    static cJSON *cJSONUtils_PatchDetach(cJSON *object, const char *path)
   224    {
   225        char *parentptr = NULL;
 

Value assigned to 'childptr'
3rdparty/cjson/cjson_utils.c

   229    
   230        /* copy path and split it in parent and child */
   231        parentptr = cJSONUtils_strdup(path);
   232        childptr = strrchr(parentptr, '/'); /* last '/' */
              ^ Value assigned to 'childptr'
   233        if (childptr)
   234        {
   235            /* split strings */
 
Assuming 'childptr' is null
3rdparty/cjson/cjson_utils.c

   230        /* copy path and split it in parent and child */
   231        parentptr = cJSONUtils_strdup(path);
   232        childptr = strrchr(parentptr, '/'); /* last '/' */
   233        if (childptr)
                  ^ Assuming 'childptr' is null
   234        {
   235            /* split strings */
   236            *childptr++ = '\0';
 
Passing null pointer value via 1st parameter 'string'
3rdparty/cjson/cjson_utils.c

   236            *childptr++ = '\0';
   237        }
   238        parent = cJSONUtils_GetPointer(object, parentptr);
   239        cJSONUtils_InplaceDecodePointerString(childptr);
                                                    ^ Passing null pointer value via 1st parameter 'string'
   240    
   241        if (!parent)
   242        {
 
Calling 'cJSONUtils_InplaceDecodePointerString'
3rdparty/cjson/cjson_utils.c

   236            *childptr++ = '\0';
   237        }
   238        parent = cJSONUtils_GetPointer(object, parentptr);
   239        cJSONUtils_InplaceDecodePointerString(childptr);
              ^ Calling 'cJSONUtils_InplaceDecodePointerString'
   240    
   241        if (!parent)
   242        {
 
Entered call from 'cJSONUtils_PatchDetach'
3rdparty/cjson/cjson_utils.c

   205    }
   206    
   207    /* JSON Patch implementation. */
   208    static void cJSONUtils_InplaceDecodePointerString(char *string)
          ^ Entered call from 'cJSONUtils_PatchDetach'
   209    {
   210        char *s2 = string;
   211        for (; *string; s2++, string++)
 
Dereference of null pointer (loaded from variable 'string')
3rdparty/cjson/cjson_utils.c

   208    static void cJSONUtils_InplaceDecodePointerString(char *string)
   209    {
   210        char *s2 = string;
   211        for (; *string; s2++, string++)
                     ^ Dereference of null pointer (loaded from variable 'string')
   212        {
   213            *s2 = (*string != '~')
   214                ? (*string)

This looks trivial to address with a strategic null pointer check.

Thanks,
Benbuck
@FSMaxB
Copy link
Collaborator

FSMaxB commented Jan 30, 2017

Thanks for reporting this. A fix is on the way.

@FSMaxB FSMaxB mentioned this issue Jan 30, 2017
Merged
@FSMaxB FSMaxB closed this as completed in e4eadb9 Jan 30, 2017
@bnason-nf
Copy link
Contributor Author

Thanks, very impressive turn around time on that.

-Benbuck

buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Jan 31, 2017
@jacmet
cjson: security bump to version v1.2.1
130b9dc 
Fixes a potential NULL pointer dereference in
cJSONUtils_InplaceDecodePointerString():

DaveGamble/cJSON#96

[Peter: extend commit message, mention (potential) security impact]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FSMaxB @bnason-nf