NULL Pointer Dereference in cJSON_GetErrorPtr When cJSON_Parse Receives NULL Input


### NULL Pointer Dereference in cJSON_GetErrorPtr When cJSON_Parse Receives NULL Input

### Summary
A NULL pointer dereference vulnerability exists in function `cJSON_GetErrorPtr` at `cJSON.c:94–96`. When `cJSON_Parse(NULL)` is called, the function correctly returns NULL to indicate parse failure, but `cJSON_GetErrorPtr()` subsequently returns NULL instead of a valid error pointer. A caller following the documented error-reporting pattern will crash with a segmentation fault when dereferencing this NULL pointer.

### Version
v1.7.19

### Description
The root cause is in `cJSON_ParseWithLengthOpts` at `cJSON.c:1156`. When `value == NULL`, the code jumps to `fail` before setting `global_error` from the input buffer. The static variable `global_error` remains at its zero-initialized state `{NULL, 0}` (set at line 1153).`cJSON_GetErrorPtr` (line 94–96) computes:return (const char*) (global_error.json + global_error.position);// NULL + 0 = NULL

### Steps to reproduce
```
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "cJSON.h"

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
    char *json_str = (char *)malloc(size + 1);
    if (json_str == NULL) return 0;
    memcpy(json_str, data, size);
    json_str[size] = '\0';

    cJSON *result = cJSON_ParseWithLength(json_str, size);

    if (result != NULL) {
        volatile char crash = *cJSON_GetErrorPtr();
        (void)crash;

        cJSON_Delete(result);
    }

    free(json_str);
    return 0;
}
```
### Reproduction Steps
```
$ https://github.com/DaveGamble/cJSON; cd cJSON.
$ clang-14 -I.. -g -fsanitize=fuzzer,address -o vuln3  vuln3.c  path/to/cjson/cJSON.c  path/to/cjson/cJSON_Utils.c -lm
$ ./vuln3  poc-3
```
```
==115411==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5fe79b9bd996 bp 0x7ffccf5df2a0 sp 0x7ffccf5df160 T0)
==115411==The signal is caused by a READ memory access.
==115411==Hint: address points to the zero page.
    #0 0x5fe79b9bd996 in LLVMFuzzerTestOneInput /home/ubuntu/Project/TRACE/database/cJSON/drivers/vuln3_null_geterrorptr_fuzz.c:55:31
    #1 0x5fe79b8e6393 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) (/home/ubuntu/Project/TRACE/database/cJSON/drivers/vuln3_null_geterrorptr_fuzz+0x43393) (BuildId: 568bd0701503a6453788ada1dc42cb912068d8d3)
    #2 0x5fe79b8d010f in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) (/home/ubuntu/Project/TRACE/database/cJSON/drivers/vuln3_null_geterrorptr_fuzz+0x2d10f) (BuildId: 568bd0701503a6453788ada1dc42cb912068d8d3)
    #3 0x5fe79b8d5e66 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) (/home/ubuntu/Project/TRACE/database/cJSON/drivers/vuln3_null_geterrorptr_fuzz+0x32e66) (BuildId: 568bd0701503a6453788ada1dc42cb912068d8d3)
    #4 0x5fe79b8ffc82 in main (/home/ubuntu/Project/TRACE/database/cJSON/drivers/vuln3_null_geterrorptr_fuzz+0x5cc82) (BuildId: 568bd0701503a6453788ada1dc42cb912068d8d3)
    #5 0x7766a9629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7766a9629e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #7 0x5fe79b8ca9d4 in _start (/home/ubuntu/Project/TRACE/database/cJSON/drivers/vuln3_null_geterrorptr_fuzz+0x279d4) (BuildId: 568bd0701503a6453788ada1dc42cb912068d8d3)
```

### POC
https://github.com/sdnuhfiu/poc-yanzheng/poc-3

### Impact
Potentially causing DoS



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

NULL Pointer Dereference in cJSON_GetErrorPtr When cJSON_Parse Receives NULL Input #1035