jplist: Fix OOB read in parse_primitive caused by missing 0-termination
In parse_primitive, integer and double values are parsed by using strtoll
and atof, which both expect the string to be 0-terminated. While this is
not a problem in well-formed JSON files, it can be if the JSON data is not,
possibly leading to a crash due to OOB memory access.
This commit fixes it by copying the value data in question to a stack buffer
and 0-terminate it, and use that buffer instead.
Credit to OSS-Fuzz
diff --git a/src/jplist.c b/src/jplist.c
index 2182079..827b367 100644
--- a/src/jplist.c
+++ b/src/jplist.c
@@ -443,7 +443,13 @@
val = plist_new_node(data);
} else if (str_val[0] == '-' || isdigit(str_val[0])) {
char* endp = NULL;
- long long intpart = strtol(str_val, &endp, 10);
+ char cbuf[48];
+ size_t maxlen = str_end-str_val;
+ if (maxlen >= sizeof(cbuf)) maxlen = sizeof(cbuf)-1;
+ strncpy(cbuf, str_val, maxlen);
+ cbuf[maxlen] = '\0';
+ long long intpart = strtoll(cbuf, &endp, 10);
+ endp = (char*)str_val + (endp-&cbuf[0]);
if (endp >= str_end) {
/* integer */
val = plist_new_uint((uint64_t)intpart);
@@ -452,7 +458,7 @@
char* fendp = endp+1;
while (isdigit(*fendp) && fendp < str_end) fendp++;
if ((fendp > endp+1 && fendp >= str_end) || (fendp+2 < str_end && (*fendp == 'e' || *fendp == 'E') && (*(fendp+1) == '+' || *(fendp+1) == '-') && isdigit(*(fendp+2)))) {
- double dval = atof(str_val);
+ double dval = atof(cbuf);
val = plist_new_real(dval);
} else {
PLIST_JSON_ERR("%s: invalid character at offset %d when parsing floating point value\n", __func__, (int)(fendp - js));
