Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2022-24795: heap-based buffer overflow when handling large inputs due to an integer overflow #388

Open
QuLogic opened this issue Apr 9, 2022 · 0 comments
Open

CVE-2022-24795: heap-based buffer overflow when handling large inputs due to an integer overflow #388

QuLogic opened this issue Apr 9, 2022 · 0 comments

Comments

@QuLogic
Copy link

QuLogic commented Apr 9, 2022

This was filed in Fedora against R-jsonlite because of the marked bundling, but originates in yajl. Thus it may not affect jsonlite directly if you don't call that functionality. The CVE information indicates:

The reallocation logic at yajl_buf.c#L64 may result in the need 32bit integer wrapping to 0 when need approaches a value of 0x80000000 (i.e. ~2GB of data), which results in a reallocation of buf->alloc into a small heap chunk.

These integers are declared as size_t in the 2.x branch of yajl, which practically prevents the issue from triggering on 64bit platforms, however this does not preclude this issue triggering on 32bit builds on which size_t is a 32bit integer.

Subsequent population of this under-allocated heap chunk is based on the original buffer size, leading to heap memory corruption.

See also the upstream issue at lloyd/yajl#239 and WIP PR at lloyd/yajl#240, as well as the adjacent fix at brianmario/yajl-ruby#211.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@QuLogic