gnustep-base 1.23.0 does not reset the end-of-string pointer after flushing the character buffer into a NSString and proceeds copying the characters from JSON string befond the bounds of the buffer.
This has potential security implications if a malicous attacker tricked the victim to load a malformed JSON structure from an untrusted source, which could trigger the condition and cause the program using the library to crash or execute arbitrary code. Fix follows. * Source/NSJSONSerialization.m: (parseString): Reset bufferIndex to zero after flush. * Tests/base/NSJSONSerialization/json.m: (main): Add long string to text fixture. Index: Source/NSJSONSerialization.m =================================================================== --- Source/NSJSONSerialization.m (revision 34664) +++ Source/NSJSONSerialization.m (working copy) @@ -335,6 +335,7 @@ { NSMutableString *str; + bufferIndex = 0; str = [[NSMutableString alloc] initWithCharacters: buffer length: 64]; if (nil == val) Index: Tests/base/NSJSONSerialization/json.m =================================================================== --- Tests/base/NSJSONSerialization/json.m (revision 34664) +++ Tests/base/NSJSONSerialization/json.m (working copy) @@ -14,6 +14,7 @@ \"Title\": \"View from 15th Floor\",\ \"Thumbnail\": {\ \"Url\": \"http://www.example.com/image/481989943\",\ + \"Description\": \"This is a long long long long long long long long long long long long long long long long long long long long long long long long long description.\",\ \"Height\": 125,\ \"Width\": \"100\"\ },\ -- Lubomir Rintel (GoodData) ext.: #7715 _______________________________________________ Bug-gnustep mailing list Bug-gnustep@gnu.org https://lists.gnu.org/mailman/listinfo/bug-gnustep