json:parse_bjdata_fuzzer: ASSERT: ref_stack.back()->is_array()

[nlohmann]

Description

OSS-Fuzz detected an input that yields an assertion.

• https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=48073
• https://oss-fuzz.com/testcase-detail/6469348761403392

Reproduction steps

Input:

00000000: 5b5b 2420 235b 4dff ffff ffff ffff ff69  [[$ #[M........i
00000010: 015d 5d                                  .]]

clusterfuzz-testcase-minimized-parse_bjdata_fuzzer-6469348761403392.bjdata.zip

Expected vs. actual results

Actual result:

<array>
    <object size="3">
        <key key="_ArraySize_" />
        <array size="2">
            <number_unsigned val="18446744073709551615" />
            <number_unsigned val="1" />
        </array>
        <array>
        </array>
    </array>
Assertion failed: (ref_stack.back()->is_array()), function end_array, file json_sax.hpp, line 269.

Expected result:

Parse error.

Minimal code example

See above.

Error messages

Assertion failed: (ref_stack.back()->is_array()), function end_array, file json_sax.hpp, line 269.

Compiler and operating system

OSS-Fuzz

Library version

develop

Validation

• The bug also occurs if the latest version from the develop branch is used.
• I can successfully compile and run the unit tests.

[nlohmann]

CC @fangq