Segmentation Fault in `json_unescape_string` loop due to unvalidated pointer increment

[Xinchen-one]

Description:

The json_unescape_string function (lines 1058 to 1084 in json.c) suffers from unvalidated pointer increments, leading to control flow loss and a SIGSEGV segmentation fault during string unescaping.

PoC (Proof of Concept) Payload:

JSON

{"string":"\g","number":123,"bool":true,"null":null}

Root Cause Analysis:

Inside the unescaping loop, when a backslash \ is caught, the pointer is forced to increment (iter++) to point to the character to be decoded. However, the code does not verify whether this increment exceeds the string's physical memory boundary or hits a null byte \0. The unvalidated dereference is then passed to the subsequent switch-case block. Under the malformed payload \g scenario, the state machine enters an unhandled path, reading/writing an unmapped memory address without safety bounds.

Impact:

• CVSS v3.1 Score: 7.5 (High)
• String unescaping is typically the front line for handling network traffic (e.g., API gateways).
• This vulnerability allows remote attackers to trigger high-frequency application crashes with a minimal payload, resulting in full Denial of Service (DoS).

Suggested Fix:

• Remodel the unescaping loop to include an explicit bounds check after every internal iter++ step.
• Ensure the pointer is verified within the legal string layout before any dereferencing, and reject invalid escape tokens strictly.