Use-of-uninitialized-value (OSS-Fuzz issue 477)

[nlohmann]

Detailed report: https://clusterfuzz-external.appspot.com/testcase?key=5830738947604480

Project: json
Fuzzer: libFuzzer_json_parse_afl_fuzzer
Fuzz target binary: parse_afl_fuzzer
Job Type: libfuzzer_msan_json
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
__gxx_personality_v0
_Unwind_RaiseException
__cxa_throw

Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz-external.appspot.com/revisions?job=libfuzzer_msan_json&range=201701270147:201701270541

Minimized Testcase (0.05 Kb):
Download: https://clusterfuzz-external.appspot.com/download/AMIfv97uPDkobmdCxNESfNAohSeKQ8tsx1Ni5ug5EFQiWitRVK0y8ZnwzVJbr_pYJ3F_AivTjP2p-JUbq4W_VLT5OHU9WofkuRuvvVW-MPD61NHqyu24muu3Q9JHinl8GLO7_btgUfOV8iG5SPQGnGexHBjzCyrYGTlLsZKZbf2VkqpROCpySlZngCslMz3osZixYVsySBUr0oWEUL4jUeEhM-fb_HCXufyiUTGG8rAYPGvMA5tEthCSO-s0d10q_HJWFuYcZeYGIjgcXWf2z06h_0_jCoN-YZv-aJi97KGchkJwsLfE4a0POiWJtChJCnu0OYSKSQbE4IUMafDxz-2FwzQiLkBRH3rxYJbNpoj_YjbUdrndvdTmWOiV-moaPHKUAz0VxyZT?testcase_id=5830738947604480
{"(V[V[":8,"[":8,"V[":8,"[V[":8,"VV[":8,"[V[":8,"V[[["


Issue filed automatically.

See https://github.com/google/oss-fuzz/blob/master/docs/reproducing.md for more information.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without an upstream patch, then the bug report will automatically
become visible to the public.

Input: {"(V[V[":8,"[":8,"V[":8,"[V[":8,"VV[":8,"[V[":8,"V[[["

==1==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0xf1859f in __gxx_personality_v0 /src/llvm/projects/libcxxabi/src/cxa_personality.cpp:947:22
#1 0x7f25b9f5c262 in _Unwind_RaiseException
#2 0xf1ba09 in __cxa_throw /src/llvm/projects/libcxxabi/src/cxa_exception.cpp:222:5
#3 0xcf9473 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::expect(nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::lexer::token_type) const /src/json/src/json.hpp:11281:17
#4 0xceba4f in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse_internal(bool) /src/json/src/json.hpp:11134:25
#5 0xce4f50 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parser::parse() /src/json/src/json.hpp:11060:33
#6 0xca1986 in nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer> nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parse<unsigned char const*, 0>(unsigned char const*, unsigned char const*, std::__1::function<bool (int, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>::parse_event_t, nlohmann::basic_json<std::__1::map, std::__1::vector, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, bool, long, unsigned long, double, std::__1::allocator, nlohmann::adl_serializer>&)>) /src/json/src/json.hpp:6461:40
#7 0xc9b2dc in LLVMFuzzerTestOneInput /src/json/test/src/fuzzer-parse_json.cpp:34:19
#8 0x784e36 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:550:13
#9 0x788aef in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:501:3
``

[nlohmann]

The error has occured with revision 42fa3f0. The last reported line in json.hpp is the JSON_THROW

json/src/json.hpp

Line 11281 in 42fa3f0

JSON_THROW(std::invalid_argument(error_msg));

:

void expect(typename lexer::token_type t) const
{
    if (t != last_token)
    {
        std::string error_msg = "parse error - unexpected ";
        error_msg += (last_token == lexer::token_type::parse_error ? ("'" +  m_lexer.get_token_string() +
                      "'") :
                      lexer::token_type_name(last_token));
        error_msg += "; expected " + lexer::token_type_name(t);
        JSON_THROW(std::invalid_argument(error_msg));
    }
}

[nlohmann]

This is the next line (cxa_exception.cpp:222): https://github.com/llvm-mirror/libcxxabi/blob/master/src/cxa_exception.cpp#L222

[nlohmann]

Can anyone help to reproduce this error or to explain what is wrong?

[nlohmann]

Comment from OSS-Fuzz:

looks like a false positive (msan support in OSS-Fuzz is too new).
Please disregard.