Heap buffer overflow in cuJSONIterator::gotoArrayIndex
Environment
- cuJSON commit:
2ac7d3dcd7ad1ff64ebdb14022bf94c59b3b4953 (branch master)
- OS: Ubuntu 22.04.5 LTS
- GPU: NVIDIA A40 (Ampere,
sm_86)
- NVIDIA driver: 590.48.01
- CUDA toolkit: 13.1 (
nvcc V13.1.115)
Component
cuJSON — standard JSON iterator, cuJSONIterator::gotoArrayIndex (paper_reproduced/src/query/query_iterator_standard_json.cpp:269-317)
Severity
High (CWE-122, Heap-based Buffer Overflow).
Description
cuJSONIterator::gotoArrayIndex advances through structural indices without validating that the requested array index remains within the parsed structural and input buffers. A malformed navigation/operation sequence can drive the iterator past the valid tree representation, producing a host-side heap-buffer-overflow.
Root cause
gotoArrayIndex computes and consumes structural indices and calls getChar(), jumpOpeningForward(), and node assignment without bounds-checking the requested array index or the derived positions. When the index exceeds the parsed structure, the traversal reads past the heap buffer.
Call path:
harness LLVMFuzzerTestOneInput
-> cuJSONIterator
-> cuJSONIterator::gotoArrayIndex (heap-buffer-overflow)
Impact
A caller or file-driven workflow that exposes iterator navigation can crash the host process and may read/write adjacent heap state.
Reproduction
CUDA_HOME=${CUDA_HOME:-/usr/local/cuda}
nvcc -std=c++17 -arch=native -O2 \
-I<cujson-src> -I${CUDA_HOME}/include \
-Xcompiler -fsanitize=address,-fno-omit-frame-pointer \
llm_harness_cuJSONIterator.cu harness_afl_main.cpp \
--compiler-bindir g++-13 -L${CUDA_HOME}/lib64 -lcudart \
-Xlinker -fsanitize=address \
-o /tmp/cujson_cuJSONIterator_asan.bin
ASAN_OPTIONS=protect_shadow_gap=0:detect_leaks=0 \
/tmp/cujson_cuJSONIterator_asan.bin trigger.binSanitizer evidence
==3385137==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c0d8640451f
SUMMARY: AddressSanitizer: heap-buffer-overflow in cuJSONIterator::gotoArrayIndex(int)
Suggested fix
Validate the requested array index and every computed structural index before calling getChar(), jumpOpeningForward(), or assigning node. Return an error status for out-of-range traversal instead of silently continuing.
Attachments
The following files from this finding are attached:
llm_harness_cuJSONIterator.cuharness_afl_main.cpptrigger.binasan.log
Archive.zip
Heap buffer overflow in
cuJSONIterator::gotoArrayIndexEnvironment
2ac7d3dcd7ad1ff64ebdb14022bf94c59b3b4953(branchmaster)sm_86)nvccV13.1.115)Component
cuJSON — standard JSON iterator,
cuJSONIterator::gotoArrayIndex(paper_reproduced/src/query/query_iterator_standard_json.cpp:269-317)Severity
High (CWE-122, Heap-based Buffer Overflow).
Description
cuJSONIterator::gotoArrayIndexadvances through structural indices without validating that the requested array index remains within the parsed structural and input buffers. A malformed navigation/operation sequence can drive the iterator past the valid tree representation, producing a host-side heap-buffer-overflow.Root cause
gotoArrayIndexcomputes and consumes structural indices and callsgetChar(),jumpOpeningForward(), and node assignment without bounds-checking the requested array index or the derived positions. When the index exceeds the parsed structure, the traversal reads past the heap buffer.Call path:
Impact
A caller or file-driven workflow that exposes iterator navigation can crash the host process and may read/write adjacent heap state.
Reproduction
Sanitizer evidence
Suggested fix
Validate the requested array index and every computed structural index before calling
getChar(),jumpOpeningForward(), or assigningnode. Return an error status for out-of-range traversal instead of silently continuing.Attachments
The following files from this finding are attached:
llm_harness_cuJSONIterator.cuharness_afl_main.cpptrigger.binasan.logArchive.zip