A segmentation fault in cJSON_SetValuestring #839
Description
Hi,
when fuzzing cJSON library, I found a segmentation fault happened in cJSON_SetValuestring.
If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen in the following statements:
CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
···
if (object->valuestring == NULL)
{
return NULL;
}
if (strlen(valuestring) <= strlen(object->valuestring)) // null pointer dereference happens here
{
strcpy(object->valuestring, valuestring);
return object->valuestring;
}The PoC is as follows:
cJSON *item = cJSON_CreateString("apple");
cJSON_SetValuestring(item, NULL);The null pointer dereference happens here can potentially cause denial of service (DOS). Maybe we can check it before strlen(), just like object->valuestring did.
Affected Version
commit 87d8f0961a01bf09bef98ff89bae9fdec42181ee (HEAD -> master, tag: v1.7.17, origin/master, origin/HEAD)
Author: Alanscut <[email protected]>
Date: Tue Dec 26 10:07:05 2023 +0800