Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use-of-uninitialized-value (OSS-Fuzz issue 377) #416

Closed
nlohmann opened this issue Jan 3, 2017 · 2 comments
Closed

Use-of-uninitialized-value (OSS-Fuzz issue 377) #416

nlohmann opened this issue Jan 3, 2017 · 2 comments
Assignees
@nlohmann
Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed kind: bug
Milestone
Release 2.1.0

Comments

@nlohmann
Copy link
Owner

nlohmann commented Jan 3, 2017

The library is continuously fuzz tested by Google's OSS-Fuzz. Today, an error was reported:

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=6051806467588096

Project: json
Fuzzer: libFuzzer_json_fuzzer-parse_cbor
Fuzz target binary: fuzzer-parse_cbor
Job Type: libfuzzer_msan_json
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha

Recommended Security Severity: Medium


Minimized Testcase (0.05 Kb): https://clusterfuzz-external.appspot.com/download/AMIfv95JewdvXub-dTQH2ZJcTO9CU1JJuX0z2r_ayy2dkqW9dUli-j_DKzAnncumcPUGCJ7--lDX9C92a8r84smAF_9TvgQTWcLL3LnxtCbsPjKoSb9v_Hh2nOyGk3rHxMO68Q8Zl5O3wK4MwnCJjWuNL9YK6ENt_eni6z1IKVRVmS3SMQfYIaQlIngHVtCTesM2IoLdwyADpKlFlotYeVVffhtYs4cF8Dku3lmDj-vjLRDZ5YOF4TfEsBva4-tUMtLbfcxoDXk4NmTkld2cFhD6x9qrwJ8EVlOgz7QvaWxfXYp8prFPZbLVgmYzt33nqSopzQobs8qaFjUhbJ4m3ptfoEeQMvpbZFzND2OF39qFmgbTG4LZ-LAyyEcd6puze-HTurgzL_3S?testcase_id=6051806467588096

Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

#0 0x4c5699 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::basic_json(double) /src/json/src/json.hpp:1515:13
#1 0x4c59a7 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::basic_json<float, void>(float) /src/json/src/json.hpp:1559:11
#2 0x4b9330 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7557:24
#3 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#4 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#5 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#6 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#7 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#8 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#9 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#10 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#11 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#12 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#13 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#14 0x4b4be6 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7430:39
#15 0x4b2505 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7335:38
#16 0x495ecf in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /src/json/src/json.hpp:7690:16
#17 0x494932 in LLVMFuzzerTestOneInput /src/json/test/src/fuzzer-parse_cbor.cpp:34:19
@nlohmann
Copy link
Owner Author

nlohmann commented Jan 3, 2017

There is an error in the code for single-precision floats.

@nlohmann nlohmann self-assigned this Jan 3, 2017
nlohmann added a commit that referenced this issue Jan 3, 2017
@nlohmann
🚑 fix for #416
cdd3b5a
@nlohmann nlohmann added this to the Release 2.0.11 milestone Jan 3, 2017
@nlohmann
Copy link
Owner Author

nlohmann commented Jan 4, 2017

Fixed.

@nlohmann nlohmann closed this as completed Jan 4, 2017
@nlohmann nlohmann modified the milestones: Release 2.0.11, Release 2.1.0 Jan 24, 2017
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label Mar 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nlohmann nlohmann

Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON confirmed kind: bug
Projects
None yet
Milestone
Release 2.1.0
Development

No branches or pull requests
1 participant
@nlohmann