Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discard optimized containers with negative counts in UBJSON/BJData (#3491,#3492,#3490) #3500

Merged
merged 5 commits into from
May 18, 2022
Merged

Discard optimized containers with negative counts in UBJSON/BJData (#3491,#3492,#3490) #3500

merged 5 commits into from
May 18, 2022

Conversation

fangq
Copy link
Contributor

@fangq fangq commented May 17, 2022
edited
Loading

This may partially address the fuzzer errors reported in #3491, #3492 and #3490.

Specifically, the above failed fuzzer errors appear to be triggered when an ND-array optimized header contains 0 in any of the dimensional vector elements. This causes partially written objects and array constructs.

Another issue this patch fixes is related to the implementation-spec mismatch discussed in #3492 (comment)

a negative count should result in an invalid UBJSON and BJData input.

@fangq fangq requested a review from nlohmann as a code owner May 17, 2022 21:45
@coveralls
Copy link

coveralls commented May 17, 2022
edited
Loading

Coverage Status

Coverage remained the same at 100.0% when pulling cbf72c6 on NeuroJSON:issue3492 into 6a73920 on nlohmann:develop.

nlohmann
nlohmann requested changes May 18, 2022
View reviewed changes
Copy link
Owner

@nlohmann nlohmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I checked the fix with the inputs of issues #3491, #3492, and #3490, and none encountered the assertions I added in #3498. I only have some smaller remarks.

This was linked to issues May 18, 2022
UBSAN error while parsing BJData (Invalid-bool-value) #3490
Closed
UBSAN error while parsing BJData (Null-dereference) #3491
Closed
ASAN error while parsing BJData (Heap-buffer-overflow READ 1) #3492
Closed
@nlohmann nlohmann added the aspect: binary formats BSON, CBOR, MessagePack, UBJSON label May 18, 2022
@nlohmann nlohmann mentioned this pull request May 18, 2022
Merged
nlohmann
nlohmann approved these changes May 18, 2022
View reviewed changes
Copy link
Owner

@nlohmann nlohmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

@nlohmann nlohmann self-assigned this May 18, 2022
@nlohmann nlohmann added this to the Release 3.11.0 milestone May 18, 2022
@nlohmann nlohmann merged commit 93c9e0c into nlohmann:develop May 18, 2022
@nlohmann
Copy link
Owner

I let the fuzzer run on the now-merged branch and see no issues after letting it run for half an hour. 👍

@nlohmann
Copy link
Owner

@fangq

I think I found another issue:

In the binary reader in function get_ubsize_size_value, we have

string_t key = "_ArraySize_";
if (JSON_HEDLEY_UNLIKELY(!sax->start_object(3) || !sax->key(key) || !sax->start_array(dim.size())))
{
    return false;
}

In an example input, I get the following SAX events:

<object size="3">
    <key key="_ArraySize_" />
    <array size="2">
        <number_integer val="2148925440" />
        <number_integer val="6701356247676222464" />
    </array>

However, the object that is started with sax->start_object(3) is never ended with a closing end_object() call. This yields issues down the road in the SAX-DOM parser, because, we when we call the return sax->end_array(); line at the end of the code block, we are still inside the unclosed object we started before.

Here is the respective input: crash.bjdata.zip

I will re-run the fuzzer with the enabled assertions from #3498 and see if I can find smaller examples.

@nlohmann
Copy link
Owner

Here is a 14 byte example:

00000000: 5b5b 235b 5500 5b55 ff69 5d5d 5d5d       [[#[U.[U.i]]]]

which produces these SAX events:

<array>
    <object size="3">
        <key key="_ArraySize_" />
        <array size="2">
            <number_integer val="255" />
            <number_integer val="93" />
        </array>
        <array size="0">
        </array>
    </array>

The more I look at it: why is there a hard-coded 3 for the object size?

minimized.bjdata.zip

fangq added a commit to NeuroJSON/json that referenced this pull request May 18, 2022
@fangq
prevent ndarray dimension vector from recusive array, nlohmann#3500
1792185
fangq added a commit to NeuroJSON/json that referenced this pull request May 18, 2022
@fangq
prevent ndarray dimension vector from recusive array, nlohmann#3500
cd7a58d
@fangq fangq mentioned this pull request May 18, 2022
Merged
@fangq
Copy link
Contributor Author

fangq commented May 18, 2022

@nlohmann, let me know if the patch if #3502 fixes the errors.

nlohmann pushed a commit that referenced this pull request May 20, 2022
@fangq
prevent ndarray dimension vector from recusive array, #3500 (#3502)
41226d0
@fangq fangq mentioned this pull request May 22, 2022
Merged
etphipp added a commit to sandialabs/GenTen that referenced this pull request Sep 18, 2024
@etphipp
Squashed 'tpls/json/' changes from 4f8fba1..9cca280
fcfc848 
9cca280 JSON for Modern C++ 3.11.3 (#4222)
1d59774 Fix char_traits deprecation warning (#4179)
f56c6e2 Update documentation for the next release (#4216)
360ce45 Add serialization-only user defined type macros (#3816)
5d931c5 Fix failing CI checks (#4215)
6eab7a2 💚 fix documentation deploy
1dfe407 💚 fix documentation deploy
4ffd5bd 💚 fix documentation deploy
0261bc0 Fix CI (again) (#4196)
59da644 Add more specific error message when attempting to parse empty input (#4180)
cdb2906 fix cmake header path in install with custom CMAKE_INSTALL_INCLUDEDIR (#4194)
58d6aa5 Support Apple's Swift Package Manager (#4010)
edffad0 Fix MinGW CI (#4175)
6adae02 Fix spellcheck issue (#4173)
35c0b3e Fix source highlighting in user defined type macros docs (#4169)
fac07e2 Accept NEW CMake policies up to CMake 3.14 (#4112)
6d4b72d Fix compile error with _HAS_STATIC_RTTI=0 (#4046)
bbd2e16 Fix deprecation warning (#4161)
6e36c72 Fixed init-list construction when size_type is not int (#4140)
e75b94b Update index.md (#4159)
aa87ab8 Capture exceptions by const& in docs. (#4099)
1ce29fa Fix CI (#4160)
5fec803 Update index.md (#4149)
da92c0e Correct a typo in serve_header/README.md (#4143)
836b7be Fix CI, again (#4083)
788e546 Fix typo in afl_driver.cpp (#4109)
6cc0eaf Update CODEOWNERS (#4126)
5d27543 💸 add sponsor
c71ecde Use template get instead of get in examples (#4039)
7938788 Added to tests the file unit-algorithm.cpp (c++ 11) functions from algorithm library (#4044)
254395e Add to CONTRIBUTING.md that `make pretty` is required for test updates. (#4045)
ab06fc9 Fix Clang-Tidy warnings (#4047)
a0c1318 Fix CI + new Doctest (#3985)
6af826d Add Vcpkg port version badge (#3988)
546370c Set minimal permissions to Github Workflows (#3972)
bbe337c Prevent memory leak when exception is thrown in adl_serializer::to_json (#3901)
fe4b663 ⬆️ Bump future from 0.18.2 to 0.18.3 in /docs/mkdocs (#3934)
31c00dc Refactor amalgamation workflow to avoid dangerous use of pull_request_target (#3969)
6cec5ae custom allocators: define missing 'rebind' type (#3895)
b504dca Fix typo in test.cmake (#3951)
660d0b5 tests/unit-iterators2: use std::ranges::equals for range comparisons (#3950)
b230614 removed lgtm badge and added Cirrus CI badge (#3937)
8fa0d7b Change 2022 to 2023 (#3932)
233d233 Fix CI issues (#3906)
da6b908 PrettyPrinter: Check if match is valid before accessing group (#3920)
4c6cde7 Try old MinGW script (#3892)
a2f0593 Upgrade Python packages (#3891)
80dfb04 Fix warning about moved from object (#3889)
2ca8dab Remove a magic number (#3888)
885aa00 Add migration guide (#3887)
7f72eed Clang 15 (#3876)
094a3dc Add CIFuzz CI GitHub action (#3845)
ea870ea Bump certifi from 2022.6.15 to 2022.12.7 in /docs/mkdocs (#3872)
3c616ed 💚 fix Ubuntu build
813c329 💚 fix Ubuntu build
97f88ce 💚 fix Ubuntu build
44423b4 💚 fix Ubuntu build
3e99087 💚 fix Ubuntu build
b6dcf3e 💚 fix Ubuntu build
07182eb 💚 fix Ubuntu build
f7d46b8 💚 fix Ubuntu build
84e5a32 💚 fix Ubuntu build
23e6922 💚 fix Ubuntu build
5fa4e66 💚 fix Ubuntu build
c700a9e 💚 fix Ubuntu build
c5a03c2 💚 fix Ubuntu build
349e4b3 Fix natvis XML (#3863)
8f83153 🐛 fix natvis XML
24ba54e Fix pipeline (#3862)
a3e6e26 Bump joblib from 1.1.0 to 1.2.0 in /docs/mkdocs (#3781)
4b2c8ce Fix some typos for n-dimensional arrays (#3767)
17d9eac Add missing files to release artifacts (#3728)
f4658de Fix 'declaration hides global declaration' warning (#3751)
3d1252b Replace limit macros with std::numeric_limits (#3723)
2d1f9b6 Add Bazel build support (#3709)
9dfa722 Fix typos in .md files (#3748)
c920f3f Update Codacy link (#3740)
15ca78a Add dark mode toggle to documentation (#3726)
58bd97e Add clang-tools to required tools for ci_static_analysis_clang (#3724)
307c053 Add missing <numeric> include (#3719)
bed648c Allow custom base class as node customization point (#3110)
f7973f4 Use official Clang/GCC containers (#3703)
4c8cdd7 Add 'Check amalgamation' workflow (#3693)
8fcdbf2 Merge tag 'v3.11.2' into develop
bc889af Merge branch 'release/3.11.2'
9d69186 🔖 set version to 3.11.2
32bbd38 generate_natvis.py: validate version number; cleanup (#3698)
c0dae0f Add Python script for generating Natvis file and update file for 3.11.2 (#3697)
0e61ee8 Restructure inline namespace and allow version component to be disabled (#3683)
93112fb fix typo in json_pointer.md (#3692)
a92ccaf Deprecate json_pointer/string_t comparisons (#3684)
e1a3fb7 Add amalgamated json-fwd.hpp to release (#3687)
d79d12f Update docset index (#3686)
31265dc Make json_pointer usable as map key (again) (#3685)
231f310 Amalgamate the forward declaration header (#3679)
dae5412 Properly constrain non-string json_pointer overloads (#3681)
0c7a183 Reimplement value() access functions (#3663)
8eee62d Miscellaneous small fixes (#3643)
f1e3407 Fix 'const' qualifier on bool& has no effect (#3678)
bfbe774 🚑 fix documentation job
b0422f8 🚑 fix documentation job
7b6cf59 Documentation change (#3672)
9e1a7c8 Add json_pointer/string_t equality comparison operators (#3664)
e839f58 👷 fix whitespace (#3675)
01af734 Attempt to fix labeler permissions (#3674)
b13b874 Refine 'Publish documentation' workflow (#3673)
b6e2942 Complete contributor list (#3670)
500bdc5 Add labeler action (#3671)
98d70d4 Publish documentation on push to develop branch (#3660)
22cd1c9 🔧 adjust naming of GitHub action jobs (#3661)
ac20714 👥 complete contributor list (#3662)
2ac7d02 Add Discord badge to README (#3651)
3224202 Minor BJData fixes (#3637)
ac9e668 Update CI (#3626)
df98ca2 Merge tag 'v3.11.1' into develop
69d7448 Merge branch 'release/3.11.1'
f2020da 🔖 set version to 3.11.1
cbaf103 Fix global UDLs (#3646)
817a4a2 Merge tag 'v3.11.0' into develop
499422b Merge branch 'release/3.11.0'
ce0e13c 🔖 set version to 3.11.0
9aafcbe Move UDLs out of the global namespace (#3605)
8fd8b52 Prepare 3.11.0 release (#3635)
d3e347b More documentation updates for 3.11.0 (#3553)
11ba5c1 🚨 fix warning (#3634)
9472ab4 Add license header to new files (#3633)
66c8bb5 Add a unit test including windows.h (#3631)
19e4c2b Add regression tests for #3204 and #3333 (#3629)
fc3e64c Fixed latest build error in msvc platform (#3630)
a2578d1 Disable exceptions on ICPC (#3621)
d909f80 Add versioned, ABI-tagged inline namespace and namespace macros (#3590)
fca1ddd Fix patch::add creating nonexistent parents (#3628)
d1d79b9 Adjust JSON Pointer examples (#3622)
6576c3f build: install .pc and .cmake files to share/ (#3619)
e3095f6 Add operator<<(json_pointer) (#3601)
7777300 Install MinGW from GitHub NuGet registry (#3618)
a87c188 Re-add value_type detection to distinguish string types (#3604)
a714381 Use swap() by ADL (#3609)
298e4a9 Use concurrency (#3610)
5520761 Fix Unicode test timeout (for real this time!) (#3614)
2d48a4d Add documentation for comparing json and ordered_json (#3599)
e91686c Make sure iterator_input_adapter advances iterators correctly (#3548)
dbfd33a Add assertion if nullptr is passed to parse function (#3593)
b185c5b 📝 clean up after #3581 (#3596)
09fb481 add patch_inplace function (#3581)
4b6d363 📝 minor fixes (#3592)
feef0eb Add error message if test suite cannot be found (#3585)
527da54 Use REUSE framework (#3546)
2a9ae2b Make certain usage patterns more prominent in the README (#3557)
a15683e 📝 add badge for https://repology.org/project/nlohmann-json/versions (#3586)
d64d405 Ignore output directory (#3572)
71bdaf5 Enable overriding test properties and set Unicode test timeouts (#3580)
d4daaa8 Optimize output vector adapter write (#3569)
7d361ec Add overloads for more key types to ordered_map and fix ordered_map::erase(first, last) with first == last (#3564)
954b10a CI: fix "JSON_MultipleHeaders" option spelling (#3555)
39e2768 Use DOCTEST_* compiler macros and suppress pragmas warning (#3550)
87cda1d Use `std::iterator_traits` to extract `iterator_category` (#3544)
1373023 BJData dimension length can not be string_t::npos, fix #3541 (#3543)
f6acdbe Allow disabling default enum conversions (#3536)
e80945d CI: Enable 32bit unit test (3) (#3532)
9c31d54 Add to_json() for std::vector<bool>::reference (#3534)
af34396 Use new CI image (#3528)
48a102c Fix ndarray dimension signedness, fix ndarray length overflow (2); add 32bit unit test (#3523)
b6d00d1 Small documentation fixes (#3520)
7c65b5c Update json.hpp (#3499)
7a6e28a Add assertion to converting constructor (#3517)
560cede CI: Remove -Wstrict-overflow (#3516)
6058d9a Add more macOS builders (#3485)
046927c Fix nlohmann/json#3513, explain is_ndarray flag (#3514)
6b97599 Fix C++20/gcc-12 issues (Part 2) (#3446)
ede6667 Prevent ndarray size vector from recursive use, fix nlohmann/json#3503 (#3505)
41226d0 prevent ndarray dimension vector from recusive array, nlohmann/json#3500 (#3502)
6ff2ea3 🥅 add assertion for invariant in SAX-DOM parser (#3498)
93c9e0c Discard optimized containers with negative counts in UBJSON/BJData (#3491,#3492,#3490) (#3500)
6a73920 Complete documentation for 3.11.0 (#3464)
a8a547d change bjdata ndarray flag to detect negative size, as part of #3475 (#3479)
d6efe67 Document fuzzer usage (#3478)
b205361 Handle invalid BJData optimized type, fix #3461 (#3463)
bdc21ad Add build step for ICPC (with fixes) (#3465)
0c698b7 Add serve_header.py for rapid testing on Compiler Explorer (#3456)
b21c345 Reorganize directories (#3462)
5352856 Implement support for string_view (attempt no. 3) (#3423)
ee51661 Support UBJSON-derived Binary JData (BJData) format (#3336)
a6ee8bf Overwork documentation (#3444)
fcc36f9 ⬆️ cpplint 1.6.0 (#3454)
1a90c94 Disable regression test for #3070 on GCC <8.4 (#3451)
a944306 Fix typo in basic_json documentation (#3439)
616caea Re-template json_pointer on string type (#3415)
1deeb43 Exclude std::any from implicit conversion (fixes #3428) (#3437)
1034490 📝 document which version introduced the macros #3429 (#3431)
261cc4e Fix constraints on from_json() for strings (#3427)
15fa6a3 at.md: fix typo (#3426)
448b173 Update CI image (#3420)
52e16a9 🚸 add check if different version is also included #3337 (#3418)
fa91409 CI: speedup AppVeyor builds by ~30% (#3422)
c2054b9 Restore disabled check for #3070 (except on MSVC) (#3421)
ab5cecb Report the right __cplusplus value for MSVC in basic_json meta() (#3417)
33b75e5 CI: windows-2016 has been deprecated; remove jobs (#3416)
6121dbb Avoid clash with Arduino defines (#3338)
3b16057 Refactor unit tests to use more convenient doctest assertion macros (Part 2) (#3405)
66f6b4b 🔧 overwork issue template #3348
1ba7368 🔧 overwork issue template #3348
f7490e3 🔧 overwork issue template #3348
ce35256 Refactor unit tests to use more convenient doctest assertion macros (#3393)
ad103e5 Improve unit testing (Part 1) (#3380)
700b95f Make iterator operator++/--(int) equality-preserving (#3332)
f208a9c Fix C++20/gcc-12 issues (Part 1) (#3379)
4a6e6ca 📝 update documentation
8d7b5b6 Add clarification to avoid misunderstanding that cause #3360 (#3378)
0fd95d2 Fix ordered_map ctor with initializer_list (#3370)
c6d8892 FetchContent_MakeAvailable (#3351)
d1e57df Fix and update CI (#3368)
e4643d1 Fix CITATION.cff and add automatic validation of your citation metadata (#3320)
d8a6329 📝 add note on parsing ordered_json #3325 (#3326)
eb21824 📝 replace Doxygen links
eec79d4 Add macros NLOHMANN_DEFINE_TYPE_INTRUSIVE_WITH_DEFAULT and ..._NON_INTRUSIVE_WITH_DEFAULT (#3143)
c11f982 📝 document FetchContent
4d4c273 .github/workflows/windows.yml: Add support for Visual Studio 2022 (#3295)
b772649 Add maintainer targets to create source archive (#3289)
293f67f Fix a typo (#3265)
c6740d7 📝 add documentation for default behavior for macros
ef55601 📝 overwork documentation
6d8d043 ♻️ make function static
4b6220a ✏️ fix typo
b785783 Fix typo (#3249)
6cd68eb 📝 add documentation for JSON Lines (#3247)
4fc7b3d 🔧 adjust docset generation script
a8e86ba 📝 improve documentation InputType and IteratorType (#3246)
9e89c2f ♻️ remove stringstream (#3244)
78ddf2b fix _MSC_VER version to check for std::filesystem (#3240)
cc59ab1 Merge branch 'release/3.10.5' into develop

git-subtree-dir: tpls/json
git-subtree-split: 9cca280
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nlohmann nlohmann nlohmann approved these changes

Assignees

@nlohmann nlohmann

Labels
aspect: binary formats BSON, CBOR, MessagePack, UBJSON release item: 🐛 bug fix
Projects
None yet
Milestone
Release 3.11.0
3 participants
@fangq @coveralls @nlohmann