Exception handling for very large or invalid number in function parse_number(...) in the file cJSON.c:176
Closed, WontfixPublic


(SYSTEM: ArchLinux - current version, gpgme version 1.12.0)
the basic problem is, that if we add a value as a number that is either to big or not a number,the parsing function parse_number in the file cJSON.c tries to cast this number as an int as well as a double value. As a result, the (double) entry and the (integer)entry of the cJSON object has not the same value after parsing.
i.e.: if we have a entry like this:

   "name": "-e987",

after parsing the object has the following entries:

- type: 3
- valueint: -2147483648
- valuedouble: -nan(0x8000000000000)


static const char * parse_number (cJSON * item, const char *num)
 /* number = +/- number.fraction * 10^+/- exponent */
 n = sign * n * pow (10.0, (scale + subscale * signsubscale));
+ // proof if n is "nan" or "inf"
+ if( isnan(n) || isinf(n) )  {
+   printf("Not a number\n");
+ }
 item->valuedouble = n;
 item->valueint = (int) n;
 return num;

found with libFuzzer and ASAN by clang 7.0.1

Sirko Höer
Code Intelligence GmbH


aheinecke triaged this task as Normal priority.Jan 23 2019, 8:43 AM
aheinecke claimed this task.
aheinecke added a subscriber: aheinecke.


werner closed this task as Wontfix.Tue, Jun 4, 11:02 AM
werner added a subscriber: werner.

The solution conflicts the the fix suggested and implemented for T4330.