Timeout (OSS-Fuzz 6034)

[nlohmann]

Detailed report: https://oss-fuzz.com/testcase?key=5146728694022144

Project: json
Fuzzer: libFuzzer_json_parse_ubjson_fuzzer
Fuzz target binary: parse_ubjson_fuzzer
Job Type: libfuzzer_ubsan_json
Platform Id: linux

Crash Type: Timeout (exceeds 10 secs)
Crash Address: 
Crash State:
NULL
Sanitizer: undefined (UBSAN)

Reproducer Testcase: https://oss-fuzz.com/download?testcase_id=5146728694022144

Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

Note: This crash might not be reproducible with the provided testcase. That said, for the past 14 days we've been seeing this crash frequently. If you are unable to reproduce this, please try a speculative fix based on the crash stacktrace in the report. The fix can be verified by looking at the crash statistics in the report, a day after the fix is deployed. We will auto-close the bug if the crash is not seen for 14 days.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

When you fix this bug, please
* mention the fix revision(s).
* state whether the bug was a short-lived regression or an old bug in any stable releases.
* add any other useful information.
This information can help downstream consumers.

clusterfuzz-testcase-minimized-5146728694022144.dms.zip

[nlohmann]

I analyzed the issue: the first bytes are:

5b 245a 23 4c 7828006828696917

meaning an array ([) with null-typed ($Z) 8658170730974374167 elements (Lx(.h = 0x7828006828696917) should be parsed.

As the type of the elements (null) is given, no bytes have to be read - instead, the library tries to create an array with 8658170730974374167 entries...

[nlohmann]

Possible fix: adding a check that size <= result.max_size() and throw an exception.

[gregmarr]

That sounds reasonable to me.