oatpp Segmentation Fault Vulnerability in ObjectWrapper Constructor Leading to Null Pointer Dereference

A segmentation fault vulnerability has been identified in oatpp versions through 1.3.1. The issue arises in the copy constructor of the ObjectWrapper class, specifically when handling oatpp::String objects. This vulnerability leads to a null pointer dereference, causing a crash. The problem occurs within the std::shared_ptr mechanism, where a corrupted or uninitialized string object is improperly managed, particularly after being malformed during JSON parsing. Exploitation of this vulnerability requires local access.

Impact

Exploitation of this vulnerability causes a segmentation fault due to a null pointer dereference, which typically leads to a crash or abnormal termination of the application.

Reproduction

The vulnerability can be reproduced by building oatpp with release optimization and AddressSanitizer (ASan) enabled. After compiling the library, the 'harness' application can be run with a proof-of-concept input that includes a malformed JSON string. The input should be crafted to corrupt an oatpp::String object, which will trigger the null pointer dereference when the object is copied, causing a segmentation fault.