Infinite Loop in org.json.JSONML.toJSONObject

[wdblair]

The following input causes the org.json.JSONML.toJSONObject method to run in an infinite loop.

JSONML.toJSONObject("??*^M??|?CglR^F??`??>?w??PIlr^E??D^X^]?$?-^R?o??O?*??{OD?^FY??`2a????NM?b^Tq?:O?>S$^K?J?^FB.gUK?m^H??zE??^??!v]?^A???^[^A??^U?c??????h???s???g^Z???`?q^Dbi??:^QZl?)?}1^??k?0??:$V?$?Ovs(}J??^V????2;^QgQ?^_^A?^D?^U?Tg?K?`?h%c?hmGA?<!C*^P^Y?^X9?~?t?)??,z^XA???S}?Q??.q?j????]");

If you trace the execution of JSONObject on this input, you see that it eventually makes it to the JSONML.parse method.

856715 [INVOKE] org.json.JSONML.parse(Lorg/json/XMLTokener;ZLorg/json/JSONArray;Z)Ljava/lang/Object;(571585615 false 0 false );

But then it gets stuck inside the parse method. If I'm reading the trace correctly, it repeatedly calls JSONTokener.next() on the XMLTokener x object on line 93 in JSONML.java

JSON-java/JSONML.java

Line 93 in 2a6af29

c = x.next();

It seems like there may be a missing case to throw a syntax error. Is the code searching for an end tag that doesn't exist?

You can find the full trace of the method running on this input in the following gist:

https://gist.github.com/wdblair/e462ca73c791162aab14e19605b4ae14

The following Java program reproduces the issue when the org.json library is in the classpath.

import java.util.Base64;
import org.json.JSONML;

public class JSONInfiniteLoop {

    public static void main(String argv[]) throws Throwable {
        String x = "Pz8qDT8/fD9DZ2xSBj8/YD8/Pj93Pz9QSWxyBT8/RBgdPyQ/LRI/bz8/Tz8qPz97T0Q/Blk/P2Ay" +
                   "YT8/Pz9OTT9iFHE/Ok8/PlMkCz9KPwZCLmdVSz9tCD8/ekU/P38/IXZdPwE/Pz8bAT8/FT9jPz8/" +
                   "Pz8/aD8/P3M/Pz9nGj8/P2A/cQRiaT8/OhFabD8pP30xXj8/az8wPz86JFY/JD9PdnMofUo/PxY/" +
                   "Pz8/MjsRZ1E/HwE/BD8VP1RnP0s/YD9oJWM/aG1HQT88IUMqEBk/GDk/fj90Pyk/Pyx6GEE/Pz9T" +
                   "fT9RPz8ucT9qPz8/P10=";
        byte[] decodedBytes = Base64.getDecoder().decode(x);
        String input = new String(decodedBytes);
        JSONML.toJSONObject(input);
    }
}

[johnjaylward]

@stleary using the first sample and stepping through with the debugger, I see the issue at line 111

JSON-java/JSONML.java

Lines 111 to 120 in 2a6af29

	do {
	token = x.nextMeta();
	if (token == null) {
	throw x.syntaxError("Missing '>' after '<!'.");
	} else if (token == XML.LT) {
	i += 1;
	} else if (token == XML.GT) {
	i -= 1;
	}
	} while (i > 0);

The do-while loop never exits as the JSONTokener.nextMeta() function continues to return the same character over and over and never advances the Tokener index.

In the nextMeta function, it steps back if it sees certain characters, which is causing the problem of not advancing:
https://github.com/stleary/JSON-java/blob/master/XMLTokener.java#L227-L247

[stleary]

@wdblair Thank you for raising this issue. @johnjaylward Thanks for identifying the root cause. There may be other potentially infinite loops in this and other parsing methods. I think these problems need to be fixed; input data should never be able to break the code.

[johnjaylward]

It looks like the correction in #485 solves the issue for both data inputs provided in the original description. I did not use the base64 encoded string, as I don't like encoded items if they don't have to be (base64 encoding was not what was breaking this). I unencoded it first and used the raw value as the input.

[wdblair]

Thanks @stleary and @johnjaylward! I'm glad you were able to reproduce the issue. On my side I can check out the new branch and see if I can find any other problematic inputs.

[stleary]

Closed due to fix has been merged.