Impact
The Zephyr JSON decoder incorrectly decodes array of array structures.
When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. arr_parse then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there.
For the unittest that means that the subarray length(=1) is stored where the name-pointer of the first element would be.
And in fact, the unittest only verifies the names of the second and third elements and just ignores the first one(which would fail the unit tests.
Patches
Fixed on master: #36340 (2.7.0)
Fixed on v2.6.0: #37816 (unreleased)
Fixed on v2.5.0: TBD
Fixed on v1.14: TBD
References
Original bug report: #33573
For more information
If you have any questions or comments about this advisory:
embargo: 2020-06-20
M1cha Analyst
Impact
The Zephyr JSON decoder incorrectly decodes array of array structures.
When using JSON_OBJ_DESCR_ARRAY_ARRAY, the subarray is has the token type JSON_TOK_LIST_START, but then assigns to the object part of the union. arr_parse then takes the offset of the array-object (which has nothing todo with the list) treats it as relative to the parent object, and stores the length of the subarray in there.
For the unittest that means that the subarray length(=1) is stored where the name-pointer of the first element would be.
And in fact, the unittest only verifies the names of the second and third elements and just ignores the first one(which would fail the unit tests.
Patches
Fixed on master: #36340 (2.7.0)
Fixed on v2.6.0: #37816 (unreleased)
Fixed on v2.5.0: TBD
Fixed on v1.14: TBD
References
Original bug report: #33573
For more information
If you have any questions or comments about this advisory:
embargo: 2020-06-20