Skip to content

Big number leads to panic on overflow with addition #139

New issue
New issue
Closed
Closed
Big number leads to panic on overflow with addition#139
@JonnytheRipper

Description

@JonnytheRipper
JonnytheRipper
opened on Jan 16, 2018

The afl.rs fuzzer figured that calling json::parse() with a string consisting of an eight, followed by 32786 zeroes (or greater), triggers a panic in the parser when compiled in debug mode.

Example test:

extern crate json;
fn main() {
    let mut string = String::from("8");
    for _ in 1..32787 {
        string.push('0');
    }
    let _ = json::parse(&string);
}
     Finished dev [unoptimized + debuginfo] target(s) in 0.71 secs
     Running `target/debug/json`
thread 'main' panicked at 'attempt to add with overflow', /home/jonny/.cargo/registry/src/github.com-1ecc6299db9ec823/json-0.11.12/src/parser.rs:581:41
stack backtrace:
   0: std::sys::imp::backtrace::tracing::imp::unwind_backtrace
             at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1: std::sys_common::backtrace::_print
             at /checkout/src/libstd/sys_common/backtrace.rs:68
   2: std::panicking::default_hook::{{closure}}
             at /checkout/src/libstd/sys_common/backtrace.rs:57
             at /checkout/src/libstd/panicking.rs:381
   3: std::panicking::default_hook
             at /checkout/src/libstd/panicking.rs:397
   4: std::panicking::rust_panic_with_hook
             at /checkout/src/libstd/panicking.rs:577
   5: std::panicking::begin_panic
             at /checkout/src/libstd/panicking.rs:538
   6: std::panicking::begin_panic_fmt
             at /checkout/src/libstd/panicking.rs:522
   7: rust_begin_unwind
             at /checkout/src/libstd/panicking.rs:498
   8: core::panicking::panic_fmt
             at /checkout/src/libcore/panicking.rs:71
   9: core::panicking::panic
             at /checkout/src/libcore/panicking.rs:51
  10: json::parser::Parser::read_big_number
             at /home/jonny/.cargo/registry/src/github.com-1ecc6299db9ec823/json-0.11.12/src/parser.rs:581
  11: json::parser::Parser::parse
             at /home/jonny/.cargo/registry/src/github.com-1ecc6299db9ec823/json-0.11.12/src/parser.rs:687
  12: json::parser::parse
             at /home/jonny/.cargo/registry/src/github.com-1ecc6299db9ec823/json-0.11.12/src/parser.rs:773
  13: json::main
             at src/main.rs:7
  14: __rust_maybe_catch_panic
             at /checkout/src/libpanic_unwind/lib.rs:101
  15: std::rt::lang_start
             at /checkout/src/libstd/panicking.rs:459
             at /checkout/src/libstd/panic.rs:365
             at /checkout/src/libstd/rt.rs:58
  16: main
  17: __libc_start_main
  18: <unknown>

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions