Playing around with the afl fuzzer, I have encountered a hang in the (time of writing) trunk code.
Test case:
JsonBox_hang00.json.txt
Sure the input is not valid JSON, but it triggers something interesting.
Using Value::loadFromString(...) which uses Value::loadFromStream(...) which in the Structural::BEGIN_OBJECT case calls Value::readObject(...) we end up in the innermost while loop of readObject.
That loop runs infinite since input.eof() stays low, but in debugging I can see that input.fail() goes high, properly due to the fuzzed bad input file.
Referring to the truth table at http://en.cppreference.com/w/cpp/io/basic_ios/eof a possible fix could be to use input.good() instead of !input.eof(), but I'll leave that up to the developers.
Note that !input.eof() is used a number of places in Value.cpp.
Playing around with the afl fuzzer, I have encountered a hang in the (time of writing) trunk code.
Test case:
JsonBox_hang00.json.txt
Sure the input is not valid JSON, but it triggers something interesting.
Using
Value::loadFromString(...)which usesValue::loadFromStream(...)which in theStructural::BEGIN_OBJECTcase callsValue::readObject(...)we end up in the innermostwhileloop ofreadObject.That loop runs infinite since
input.eof()stays low, but in debugging I can see thatinput.fail()goes high, properly due to the fuzzed bad input file.Referring to the truth table at http://en.cppreference.com/w/cpp/io/basic_ios/eof a possible fix could be to use
input.good()instead of!input.eof(), but I'll leave that up to the developers.Note that
!input.eof()is used a number of places in Value.cpp.