Exception handling for very large or invalid number in function parse_number(...) in the file cJSON.c:176
Closed, WontfixPublic

Description

(SYSTEM: ArchLinux - current version, gpgme version 1.12.0)
the basic problem is, that if we add a value as a number that is either to big or not a number,the parsing function parse_number in the file cJSON.c tries to cast this number as an int as well as a double value. As a result, the (double) entry and the (integer)entry of the cJSON object has not the same value after parsing.
i.e.: if we have a entry like this:

{
   "name": "-e987",
}

after parsing the object has the following entries:

...
- type: 3
- valueint: -2147483648
- valuedouble: -nan(0x8000000000000)

FIX:

static const char * parse_number (cJSON * item, const char *num)
{
 ...
 /* number = +/- number.fraction * 10^+/- exponent */
 n = sign * n * pow (10.0, (scale + subscale * signsubscale));
 ...
+ // proof if n is "nan" or "inf"
+ if( isnan(n) || isinf(n) )  {
+   printf("Not a number\n");
+ }
 ...
 item->valuedouble = n;
 item->valueint = (int) n;
 return num;
}

found with libFuzzer and ASAN by clang 7.0.1

regards
Sirko Höer
Code Intelligence GmbH

Details

Version
1.12.0
aheinecke triaged this task as Normal priority.Jan 23 2019, 8:43 AM
aheinecke claimed this task.
aheinecke added a subscriber: aheinecke.

Thanks

werner closed this task as Wontfix.Tue, Jun 4, 11:02 AM
werner added a subscriber: werner.

The solution conflicts the the fix suggested and implemented for T4330.