bug-gnustep
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NSJSONSerialization stack overflow


From: Lubomir Rintel
Subject: NSJSONSerialization stack overflow
Date: Mon, 30 Jan 2012 11:02:43 +0100

gnustep-base 1.23.0 does not reset the end-of-string pointer after flushing the 
character buffer into a NSString and proceeds copying the characters from JSON 
string befond the bounds of the buffer.

This has potential security implications if a malicous attacker tricked the 
victim to load a malformed JSON structure from an untrusted source, which could 
trigger the condition and cause the program using the library to crash or 
execute arbitrary code.

Fix follows.

* Source/NSJSONSerialization.m: (parseString): Reset bufferIndex to zero after
flush.

* Tests/base/NSJSONSerialization/json.m: (main): Add long string to text 
fixture.

Index: Source/NSJSONSerialization.m
===================================================================
--- Source/NSJSONSerialization.m        (revision 34664)
+++ Source/NSJSONSerialization.m        (working copy)
@@ -335,6 +335,7 @@
         {
           NSMutableString *str;
 
+          bufferIndex = 0;
           str = [[NSMutableString alloc] initWithCharacters: buffer
                                                     length: 64];
           if (nil == val)
Index: Tests/base/NSJSONSerialization/json.m
===================================================================
--- Tests/base/NSJSONSerialization/json.m       (revision 34664)
+++ Tests/base/NSJSONSerialization/json.m       (working copy)
@@ -14,6 +14,7 @@
           \"Title\":  \"View from 15th Floor\",\
           \"Thumbnail\": {\
               \"Url\":    \"http://www.example.com/image/481989943\",\
+              \"Description\": \"This is a long long long long long long long 
long long long long long long long long long long long long long long long long 
long long description.\",\
               \"Height\": 125,\
               \"Width\":  \"100\"\
           },\

-- 
Lubomir Rintel (GoodData)
ext.: #7715




reply via email to

[Prev in Thread] Current Thread [Next in Thread]