SEGV has occurred in function cJSONUtils_ApplyPatchesCaseSensitive at cJSON_Utils.c #985
Description
Description
SEGV has occurred in function cJSONUtils_ApplyPatchesCaseSensitive at cJSON_Utils.c:1085
Version
commit c859b25da02955fef659d658b8f324b5cde87be3 (HEAD -> master, tag: v1.7.19, origin/master, origin/HEAD)
Author: Alan Wang <wp_scut@163.com>
Date: Tue Sep 9 21:56:10 2025 +0800
Release 1.7.19 (#958)
Steps to reproduce
The Crash can be reproduced with the following minimal c code
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "cJSON.h"
#include "cJSON_Utils.h"
int main(int argc, char** argv) {
if (argc < 2) return 0;
unsigned char* data = NULL;
size_t size = 0;
FILE* fp = fopen(argv[1], "rb");
if (!fp) return 0;
fseek(fp, 0, SEEK_END);
size = ftell(fp);
fseek(fp, 0, SEEK_SET);
data = (unsigned char*)malloc(size + 1);
if (!data) { fclose(fp); return 0; }
if (fread(data, 1, size, fp) != size) { free(data); fclose(fp); return 0; }
data[size] = '\0';
fclose(fp);
cJSON* obj_1 = cJSON_CreateObject();
cJSON* obj_2 = cJSON_Parse(data);
if (obj_1 && obj_2) {
cJSONUtils_ApplyPatchesCaseSensitive(obj_1, obj_2);
}
if (obj_1) cJSON_Delete(obj_1);
if (obj_2) cJSON_Delete(obj_2);
free(data);
return 0;
}$ https://github.com/DaveGamble/cJSON; cd cJSON.
$ clang -fsanitize=address -O0 -g -o minimize ./minimize.c cJSON.c cJSON_Utils.c
$ ./minimize poc-ApplyPatchesCaseSensitive-SEGV
=================================================================
==544063==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x757b239b213c bp 0x7ffc00685a30 sp 0x7ffc006851e8 T0)
==544063==The signal is caused by a READ memory access.
==544063==Hint: address points to the zero page.
#0 0x757b239b213c string/../sysdeps/x86_64/multiarch/strlen-evex.S:77
#1 0x5584c61d7489 in strlen (/Data/du4t/harnessGeneration/testcase/cJSON/5-CVE+0x36489) (BuildId: 675a8db95ab4b2105e92973333a1dd1eccdabf1b)
#2 0x5584c629b059 in cJSONUtils_strdup /cJSON/cJSON_Utils.c:71:14
#3 0x5584c629b059 in detach_path /cJSON/cJSON_Utils.c:438:22
#4 0x5584c62973db in apply_patch /cJSON/cJSON_Utils.c:918:21
#5 0x5584c6297e3f in cJSONUtils_ApplyPatchesCaseSensitive /cJSON/cJSON_Utils.c:1085:18
#6 0x5584c62800d0 in main cJSON/minimize.c:30:9
#7 0x757b23829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x757b23829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#9 0x5584c61c0414 in _start (/cJSON/5+0x1f414) (BuildId: 675a8db95ab4b2105e92973333a1dd1eccdabf1b)
POC
https://github.com/Du4t/POC/blob/main/cJSON/poc-ApplyPatchesCaseSensitive-SEGV
Impact
Potentially causing DoS