Undeclared exceptions thrown by `JSON.parse`
fmeum opened this issue · 3 comments
While fuzzing fastjson
in version 1.2.75, I found 4 cases of undeclared exceptions (i.e., exceptions other than JSONException).
The crashes can be reproduced with the following standalone Java applications, which require fastjson-1.2.75.jar from https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.75/fastjson-1.2.75.jar in the classpath.
Issue 1: NumberFormatException
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;
public class FastJsonCrash1 {
public static void main(String[] args) {
try {
JSON.parse("{[-");
} catch (JSONException unused) {
return;
}
}
}
Issue 2: ClassCastException
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;
public class FastJsonCrash2 {
public static void main(String[] args) {
try {
JSON.parse("TreeSet[[]");
} catch (JSONException unused) {
return;
}
}
}
Issue 3: ArrayIndexOutOfBoundsException
import java.util.Base64;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;
public class FastJsonCrash3 {
public static String btoa(String base64) {
return new String(Base64.getDecoder().decode(base64));
}
public static void main(String[] args) {
try {
JSON.parse(btoa("IltbezU6W3s2Ojg2Ojg4LDU6W3s2OgAAAA17eycAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7e3t7//97UERGLTIgQm8aNDU6W3s2Ojg4LDU6W3s2OgAAAA17NgEAAHt7//97UERGLTIgQm8aNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7ewFF//97UERGLTIgQmpkAAAAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0amQAAA17eyd7ewFF//97UERGLTIgQm8aNAAADXt7J3t7AUX//3tQREYtMiBCbxo0AAAAAA17eyd7////T/97UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0"));
} catch (JSONException unused) {
return;
}
}
}
Issue 4: ArrayIndexOutOfBoundsException
import java.util.Base64;
import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;
public class FastJsonCrash4 {
public static String btoa(String base64) {
return new String(Base64.getDecoder().decode(base64));
}
public static void main(String[] args) {
try {
JSON.parse(btoa("WywsIiIMLCIAAAAMAAAgAAAAdWUgdAAAAA1ubHUlbDMyMjIABAAAADIyMjISMjNbW1ukHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHiBUZA17W3tbCTg0DQooIHRleHQuIEFuZCAgNDRUBDQ0LCwoLCwsLCwsKSwsLCwsLCwsLCwsLCwsnf8sLCwsLCwsMiwsLG51bA9sLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLBAsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwyLCwsLCwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHtbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHsnw4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWw1dLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW10AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW6Gknf8sLCwsLCwsLCwsLCwsWywsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksLCwsLCwsLCwsLCwsLJ3/LCwsLCwsLDIsLCxudWxsLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwsLCwsLCwoLCwsLCwsKSx07zV1bmRlZmluZW5kACwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1tboaSd/ywsLCwsLCwsLCwsLCxbLCwsLCwsLCwsLCwsLCwsLCwsLEEsPCwsLCx7W1tbW6Gknf8sLCwsLCwsLCwsLCwsLCwsLCgsLCwsLCwpLCwsLCwsLCwsLCwsLCyd/ywsLCwsLCwyLCwsbnVsbCwsKiwsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksdO+/vSwsLCwsMSwsLCwsLCwsLCxbW1tboaSd/xosLCwsLCwyLCwsLCwsLCwsLCws"));
} catch (JSONException unused) {
return;
}
}
}
@wenshao
Is there anyone had done something in this issue?
I am willing to solve it in a few months.
As the issues reported in this thread were found via fuzzing, I have drafted a PR that would set up fastjson for continuous fuzzing in OSS-Fuzz: google/oss-fuzz#5373
Let me know if you have any questions or concerns.
@wenshao Sorry, I didn't intend for google/oss-fuzz#5373 to be merged right away. If you want me to make any changes or revert the OSS-Fuzz integration entirely, please let me know.