[Security] Stack Overflow via Uncontrolled Recursion in cJSONUtils_MergePatch #995
Description
Clear and concise description of the bug:
A stack overflow vulnerability exists in the cJSON_Utils library due to uncontrolled recursion in the cJSONUtils_MergePatch function. When processing a JSON Merge Patch (RFC 7396) with deeply nested objects, the function recursively traverses the patch without any depth limit. This exhausts the system stack memory, leading to a segmentation fault and application crash (Denial of Service).
Steps to reproduce the bug :
To reproduce this with the existing test suite, modify tests/old_utils_tests.c to dynamically inject a deeply nested object:
1.Increase the size of the merges array and add a placeholder:
static const char *merges[16][3] = {
// ... existing tests ...
{"{}", "RECURSIVE_PLACEHOLDER", "{}"}
};2.Modify the test loop in merge_tests to dynamically build a 30,000-layer object when the placeholder is encountered:
if (strcmp(merges[i][1], "RECURSIVE_PLACEHOLDER") == 0) {
int depth = 30000;
int d = 0;
patch = cJSON_CreateObject();
cJSON *current = patch;
for (d = 0; d < depth; d++) {
cJSON *next = cJSON_CreateObject();
cJSON_AddItemToObject(current, "a", next);
current = next;
}
}3.Build and run the tests:
mkdir build
cd build
cmake .. -DENABLE_CJSON_UTILS=On -DENABLE_CJSON_TEST=On -DCMAKE_BUILD_TYPE=Debug
make
./tests/old_utils_tests .Expected behavior:
The function should either successfully process the nested structure or, more appropriately, return an error when a pre-defined recursion depth limit is exceeded, similar to the CJSON_NESTING_LIMIT enforced in the core library.
Observed behavior:
The program crashes with a Segmentation fault. GDB backtrace shows thousands of recursive calls to merge_patch (frames reaching over #13000), eventually exhausting the default stack size.
Platform(s) (compiler version, operating system version, CPU) on which the bug was observed:
OS: Ubuntu Linux 20.04+
Compiler: GCC
cJSON release(s), commit(s), or branch(es) in which the bug was observed :
cJSON(main branch)