From 2e33c218cbd53b8d016e9230c2f600411b6146b8 Mon Sep 17 00:00:00 2001 From: Jordan Bayles Date: Fri, 11 Oct 2019 15:08:42 -0700 Subject: [PATCH] Fix fuzzer off by one error (#1047) * Fix fuzzer off by one error Currently the fuzzer has an off by one error, as it passing a bad length to the CharReader::parse method, resulting in a heap buffer overflow. * Rebase master, rerun clang format --- example/readFromString/readFromString.cpp | 4 ++-- src/lib_json/json_value.cpp | 4 +++- src/test_lib_json/fuzz.cpp | 1 + 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/example/readFromString/readFromString.cpp b/example/readFromString/readFromString.cpp index 753f9c9..ce32236 100644 --- a/example/readFromString/readFromString.cpp +++ b/example/readFromString/readFromString.cpp @@ -2,8 +2,8 @@ #include /** * \brief Parse a raw string into Value object using the CharReaderBuilder - * class, or the legacy Reader class. - * Example Usage: + * class, or the legacy Reader class. + * Example Usage: * $g++ readFromString.cpp -ljsoncpp -std=c++11 -o readFromString * $./readFromString * colin diff --git a/src/lib_json/json_value.cpp b/src/lib_json/json_value.cpp index 30d9ad8..e136783 100644 --- a/src/lib_json/json_value.cpp +++ b/src/lib_json/json_value.cpp @@ -210,7 +210,9 @@ LogicError::LogicError(String const& msg) : Exception(msg) {} JSONCPP_NORETURN void throwRuntimeError(String const& msg) { throw RuntimeError(msg); } -JSONCPP_NORETURN void throwLogicError(String const& msg) { throw LogicError(msg); } +JSONCPP_NORETURN void throwLogicError(String const& msg) { + throw LogicError(msg); +} #else // !JSON_USE_EXCEPTION JSONCPP_NORETURN void throwRuntimeError(String const& msg) { abort(); } JSONCPP_NORETURN void throwLogicError(String const& msg) { abort(); } diff --git a/src/test_lib_json/fuzz.cpp b/src/test_lib_json/fuzz.cpp index f79f19f..d6e3815 100644 --- a/src/test_lib_json/fuzz.cpp +++ b/src/test_lib_json/fuzz.cpp @@ -25,6 +25,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) { uint32_t hash_settings = *(const uint32_t*)data; data += sizeof(uint32_t); + size -= sizeof(uint32_t); builder.settings_["failIfExtra"] = hash_settings & (1 << 0); builder.settings_["allowComments_"] = hash_settings & (1 << 1);