(SYSTEM: ArchLinux - current version, gpgme version 1.12.0)

the basic problem is, that if we add a value as a number that is either to big or not a number,the parsing function parse_number in the file cJSON.c tries to cast this number as an int as well as a double value. As a result, the (double) entry and the (integer)entry of the cJSON object has not the same value after parsing.

i.e.: if we have a entry like this:

{ "name": "-e987", }

after parsing the object has the following entries:

... - type: 3 - valueint: -2147483648 - valuedouble: -nan(0x8000000000000)

FIX:

static const char * parse_number (cJSON * item, const char *num) { ... /* number = +/- number.fraction * 10^+/- exponent */ n = sign * n * pow (10.0, (scale + subscale * signsubscale)); ... + // proof if n is "nan" or "inf" + if( isnan(n) || isinf(n) ) { + printf("Not a number\n"); + } ... item->valuedouble = n; item->valueint = (int) n; return num; }

found with libFuzzer and ASAN by clang 7.0.1

regards

Sirko Höer

Code Intelligence GmbH