UltraJSON Buffer Overflow and Denial-of-Service Vulnerability via Indentation Handling

A vulnerability in UltraJSON versions 5.10 through 5.11.0 allows for a buffer overflow or an infinite loop, leading to a denial-of-service condition. This issue arises from improper handling of the 'indent' parameter in the 'ujson.dumps()' function. When the product of the indent value and the nested depth of the input exceeds INT32_MAX, it causes a segmentation fault, crashing the Python interpreter. Alternatively, a large negative indent can create an infinite loop. The vulnerability is triggered by untrusted users controlling the indent parameter, especially if not restricted to small non-negative values.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the Python interpreter, or leads to an infinite loop, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by calling 'ujson.dumps()' with a large indent value, such as 2^30, while the input is nested at least one level deep. This combination causes an integer overflow, allowing the indent calculation to exceed the maximum buffer size, resulting in a heap buffer overflow. Alternatively, setting the indent to a large negative number, such as -2000000000, causes the program to enter an infinite loop, effectively freezing the process.

Remediation

Users can upgrade to UltraJSON version 5.12.0, which addresses the vulnerability by capping the indent parameter at 1000, promoting integer types to prevent overflow, and adjusting the handling of negative indents. For those who cannot upgrade, it's advised to use fixed or non-negative indentation values.