Heap-buffer-overflow (OSS-Fuzz issue 366)

[nlohmann]

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=6389881328631808

Project: json
Fuzzer: libFuzzer_json_fuzzer-parse_cbor
Fuzz target binary: fuzzer-parse_cbor
Job Type: libfuzzer_asan_json
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 1
Crash Address: 0x6020000000d1
Crash State:
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<cha
_start

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_asan_json&range=201612280923:201612281110

Minimized Testcase (0.00 Kb):
Download: https://clusterfuzz-external.appspot.com/download/AMIfv966Em_K8UOgnsngPWgxZ8qsH_julqkD3HcQfMo22dZ-YX0xGwy1yx2sr_OWR_Es6N15TRNpcNbERPUaO2yfCwmUMx4o6jlF_uJWXM0fnjTXqSCIVEx3KC4oSwOsIIPdcjeMNH9wQlzBEcZtR9M46kWc1fjDdyxEqi9ieUgrZFVBstgA1KqwVRjJ4B_Lspp3tKNyanvYdZYu_A74yUANK8XeW1ClnMzrkOQ_u7hfH7s1DHiH6i4TzrYrY0EKB9xZqYctrUf4V9yKKW1zmlUda0ZSMA4Inv0iWS7ox13NZgJMPdG3Yw9PWQxuiHjjfjKfLCjy5ZsD1DYPDzOVu1KRZkWlRiG4AMz64raXrrOMWg2ThjXWhMWBhrV9J1-uTWlWR1bkulo_?testcase_id=6389881328631808
�


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

Input: 0x7f

=================================================================
==1==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d1 at pc 0x00000051e97f bp 0x7fffed42a3f0 sp 0x7fffed42a3e8
READ of size 1 at 0x6020000000d1 thread T0
SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
#0 0x51e97e in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor_internal(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&, unsigned long&) /src/json/src/json.hpp:7325:24
#1 0x511bbc in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator>::from_cbor(std::__1::vector<unsigned char, std::__1::allocator<unsigned char> > const&) /src/json/src/json.hpp:7720:16
#2 0x51107e in LLVMFuzzerTestOneInput /src/json/./test/src/fuzzer-parse_cbor.cpp:34:19
#3 0x5c8878 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:541:13
#4 0x5c95d4 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:492:3
#5 0x559eb7 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:267:6
#6 0x562023 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:485:9
#7 0x558318 in main /src/libfuzzer/FuzzerMain.cpp:20:10
#8 0x7f2164b0182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#9 0x41b978 in _start (/mnt/scratch0/clusterfuzz/slave-bot/builds/clusterfuzz-builds_json_26b1464c0c18fac23c49bf26ed996090f90e682a/revisions/fuzzer-parse_cbor+0x41b978)

[nlohmann]

Diagnosis: 0x7f is an UTF-8 string of undetermined length which was never closed.