gnustep-base 1.23.0 does not reset the end-of-string pointer after flushing the
character buffer into a NSString and proceeds copying the characters from JSON
string befond the bounds of the buffer.
This has potential security implications if a malicous attacker tricked the
victim to load a malformed JSON structure from an untrusted source, which could
trigger the condition and cause the program using the library to crash or
execute arbitrary code.
Fix follows.
* Source/NSJSONSerialization.m: (parseString): Reset bufferIndex to zero after
flush.
* Tests/base/NSJSONSerialization/json.m: (main): Add long string to text
fixture.
Index: Source/NSJSONSerialization.m
===================================================================
--- Source/NSJSONSerialization.m (revision 34664)
+++ Source/NSJSONSerialization.m (working copy)
@@ -335,6 +335,7 @@
{
NSMutableString *str;
+ bufferIndex = 0;
str = [[NSMutableString alloc] initWithCharacters: buffer
length: 64];
if (nil == val)
Index: Tests/base/NSJSONSerialization/json.m
===================================================================
--- Tests/base/NSJSONSerialization/json.m (revision 34664)
+++ Tests/base/NSJSONSerialization/json.m (working copy)
@@ -14,6 +14,7 @@
\"Title\": \"View from 15th Floor\",\
\"Thumbnail\": {\
\"Url\": \"http://www.example.com/image/481989943\",\
+ \"Description\": \"This is a long long long long long long long
long long long long long long long long long long long long long long long long
long long description.\",\
\"Height\": 125,\
\"Width\": \"100\"\
},\
--
Lubomir Rintel (GoodData)
ext.: #7715
_______________________________________________
Bug-gnustep mailing list
Bug-gnustep@gnu.org
https://lists.gnu.org/mailman/listinfo/bug-gnustep
