Skip to content
This repository was archived by the owner on Oct 23, 2024. It is now read-only.
This repository was archived by the owner on Oct 23, 2024. It is now read-only.

Undeclared exceptions thrown by JSON.parse #3631

Closed
Closed
Undeclared exceptions thrown by JSON.parse#3631
Labels
bug
Milestone
1.2.76
@fmeum

Description

@fmeum
fmeum
opened on Jan 29, 2021

While fuzzing fastjson in version 1.2.75, I found 4 cases of undeclared exceptions (i.e., exceptions other than JSONException).
The crashes can be reproduced with the following standalone Java applications, which require fastjson-1.2.75.jar from https://repo1.maven.org/maven2/com/alibaba/fastjson/1.2.75/fastjson-1.2.75.jar in the classpath.

Issue 1: NumberFormatException

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash1 {
    public static void main(String[] args) {
        try {
            JSON.parse("{[-");
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 2: ClassCastException

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash2 {
    public static void main(String[] args) {
        try {
            JSON.parse("TreeSet[[]");
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 3: ArrayIndexOutOfBoundsException

import java.util.Base64;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash3 {
    public static String btoa(String base64) {
        return new String(Base64.getDecoder().decode(base64));
    }

    public static void main(String[] args) {
        try {
            JSON.parse(btoa("IltbezU6W3s2Ojg2Ojg4LDU6W3s2OgAAAA17eycAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7e3t7//97UERGLTIgQm8aNDU6W3s2Ojg4LDU6W3s2OgAAAA17NgEAAHt7//97UERGLTIgQm8aNAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA17eyd7ewFF//97UERGLTIgQmpkAAAAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0amQAAA17eyd7ewFF//97UERGLTIgQm8aNAAADXt7J3t7AUX//3tQREYtMiBCbxo0AAAAAA17eyd7////T/97UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0UERGLTIgQm8aNFBERi0yIEJvGjRwZW5qZAAAAAAAAAAAAAAAAAAAAAANe3sne3sBRf//e1BERi0yIEJvGjQAAAAADXt7J3t7AUX//3tQREYtMiBCbxo0"));
        } catch (JSONException unused) {
            return;
        }
    }
}

Issue 4: ArrayIndexOutOfBoundsException

import java.util.Base64;

import com.alibaba.fastjson.JSON;
import com.alibaba.fastjson.JSONException;

public class FastJsonCrash4 {
    public static String btoa(String base64) {
        return new String(Base64.getDecoder().decode(base64));
    }

    public static void main(String[] args) {
        try {
            JSON.parse(btoa("WywsIiIMLCIAAAAMAAAgAAAAdWUgdAAAAA1ubHUlbDMyMjIABAAAADIyMjISMjNbW1ukHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHiBUZA17W3tbCTg0DQooIHRleHQuIEFuZCAgNDRUBDQ0LCwoLCwsLCwsKSwsLCwsLCwsLCwsLCwsnf8sLCwsLCwsMiwsLG51bA9sLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLBAsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwyLCwsLCwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1sAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHtbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHsnw4QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWw1dLAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW10AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAW6Gknf8sLCwsLCwsLCwsLCwsWywsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksLCwsLCwsLCwsLCwsLJ3/LCwsLCwsLDIsLCxudWxsLCwqLCwsLCwsLCwsLCwsLCwsLCwoLCwsLCwsKSx077+9LCwsLCwsLCwsLCwoLCwsLCwsKSx07zV1bmRlZmluZW5kACwsLCwsLFtbW1uhpJ3/GiwsLCwsLDIsLCwsLCwsQSw8LCwsLHtbW1tboaSd/ywsLCwsLCwsLCwsLCxbLCwsLCwsLCwsLCwsLCwsLCwsLEEsPCwsLCx7W1tbW6Gknf8sLCwsLCwsLCwsLCwsLCwsLCgsLCwsLCwpLCwsLCwsLCwsLCwsLCyd/ywsLCwsLCwyLCwsbnVsbCwsKiwsLCwsLCwsLCwsLCwsLCwsKCwsLCwsLCksdO+/vSwsLCwsMSwsLCwsLCwsLCxbW1tboaSd/xosLCwsLCwyLCwsLCwsLCwsLCws"));
        } catch (JSONException unused) {
            return;
        }
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions