BasicJsonParser can fail with a stackoverflow exception

[philwebb]

[Environment] ASAN_OPTIONS=alloc_dealloc_mismatch=0:allocator_may_return_null=1:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_segv=2:handle_sigbus=2:handle_sigfpe=2:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=32:strip_path_prefix=/workspace/:use_sigaltstack=1
	+----------------------------------------Release Build Stacktrace----------------------------------------+
	Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/BasicJsonParserFuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c354f05a89eee24be693d60b123128031aa89341
	Time ran: 16.316258668899536
	
	OpenJDK 64-Bit Server VM warning: Option CriticalJNINatives was deprecated in version 16.0 and will likely be removed in a future release.
	OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
	INFO: Loaded 118 hooks from com.code_intelligence.jazzer.runtime.TraceCmpHooks
	INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.TraceDivHooks
	INFO: Loaded 2 hooks from com.code_intelligence.jazzer.runtime.TraceIndirHooks
	INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.NativeLibHooks
	INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.Deserialization
	INFO: Loaded 3 hooks from com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection
	INFO: Loaded 70 hooks from com.code_intelligence.jazzer.sanitizers.LdapInjection
	INFO: Loaded 46 hooks from com.code_intelligence.jazzer.sanitizers.NamingContextLookup
	INFO: Loaded 1 hooks from com.code_intelligence.jazzer.sanitizers.OsCommandInjection
	INFO: Loaded 68 hooks from com.code_intelligence.jazzer.sanitizers.ReflectiveCall
	INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.RegexInjection
	INFO: Loaded 16 hooks from com.code_intelligence.jazzer.sanitizers.RegexRoadblocks
	INFO: Loaded 19 hooks from com.code_intelligence.jazzer.sanitizers.SqlInjection
	INFO: Instrumented java.util.regex.Pattern$BnM with custom hooks only (took 22 ms, size +20%)
	INFO: Instrumented java.util.regex.Pattern$BackRef with custom hooks only (took 6 ms, size +34%)
	INFO: Instrumented java.util.regex.Pattern$Branch with custom hooks only (took 5 ms, size +27%)
	INFO: Instrumented java.util.regex.Pattern$BranchConn with custom hooks only (took 3 ms, size +56%)
	INFO: Instrumented java.util.regex.Pattern$BmpCharPropertyGreedy with custom hooks only (took 2 ms, size +31%)
	INFO: Instrumented java.util.regex.Pattern$GroupCurly with custom hooks only (took 10 ms, size +34%)
	INFO: Instrumented java.util.regex.Pattern$Ques with custom hooks only (took 4 ms, size +78%)
	INFO: Instrumented java.util.regex.Pattern$Curly with custom hooks only (took 21 ms, size +50%)
	INFO: Instrumented java.util.regex.Matcher with custom hooks only (took 65 ms, size +4%)
	INFO: Instrumented java.util.regex.Pattern$StartS with custom hooks only (took 3 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$Start with custom hooks only (took 7 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$First with custom hooks only (took 4 ms, size +52%)
	INFO: Instrumented java.util.regex.Pattern$Slice with custom hooks only (took 2 ms, size +44%)
	INFO: Instrumented java.util.regex.Pattern$CharPropertyGreedy with custom hooks only (took 3 ms, size +22%)
	INFO: Instrumented java.util.regex.Pattern$BmpCharProperty with custom hooks only (took 3 ms, size +35%)
	INFO: Instrumented java.util.regex.Pattern$CharProperty with custom hooks only (took 4 ms, size +33%)
	INFO: Instrumented java.util.regex.Pattern$GroupHead with custom hooks only (took 2 ms, size +49%)
	INFO: Instrumented java.util.regex.Pattern with custom hooks only (took 66 ms, size +2%)
	INFO: Instrumented BasicJsonParserFuzzer (took 26 ms, size +14%)
	INFO: Instrumented org.springframework.boot.json.JsonParseException (took 4 ms, size +16%)
	INFO: libFuzzer ignores flags that start with '--'
	INFO: Running with entropic power schedule (0xFF, 100).
	INFO: Seed: 3822986206
	INFO: Loaded 1 modules   (512 inline 8-bit counters): 512 [0x7f650f454010, 0x7f650f454210),
	INFO: Loaded 1 PC tables (512 PCs): 512 [0x1ec1130,0x1ec3130),
	/mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/jazzer_driver: Running 1 inputs 100 time(s) each.
	Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c354f05a89eee24be693d60b123128031aa89341
	INFO: Instrumented org.springframework.boot.json.BasicJsonParser (took 46 ms, size +25%)
	INFO: Instrumented org.springframework.boot.json.AbstractJsonParser (took 14 ms, size +19%)
	INFO: Instrumented org.springframework.boot.json.JsonParser (took 21 ms, size +0%)
	INFO: Instrumented org.springframework.util.StringUtils (took 120 ms, size +36%)
	INFO: New number of coverage counters: 1024
	INFO: Instrumented org.springframework.util.ObjectUtils (took 115 ms, size +28%)
	INFO: Instrumented java.util.regex.Pattern$SliceS with custom hooks only (took 2 ms, size +42%)
	INFO: Instrumented java.lang.ProcessBuilder with custom hooks only (took 13 ms, size +6%)
	
	== Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
	 at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
	 at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
	Caused by: java.lang.StackOverflowError
	 at java.base/java.nio.charset.CharsetEncoder.<init>(CharsetEncoder.java:233)
	 at java.base/sun.nio.cs.CESU_8$Encoder.<init>(CESU_8.java:401)
	 at java.base/sun.nio.cs.CESU_8.newEncoder(CESU_8.java:70)
	 at java.base/java.lang.String.encodeWithEncoder(String.java:837)
	 at java.base/java.lang.String.encode(String.java:833)
	 at java.base/java.lang.String.getBytes(String.java:1786)
	 at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.encodeForLibFuzzer(TraceDataFlowNativeCallbacks.java:166)
	 at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceStrstr(TraceDataFlowNativeCallbacks.java:82)
	 at com.code_intelligence.jazzer.runtime.TraceCmpHooks.startsWith(TraceCmpHooks.java:198)
	 at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:60)
	 at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
	 at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
	 at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
	 at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
	 at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
	 at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
	 at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
	 at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
	 at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
	(...)

[philwebb]

large-malformed-json.txt

[philwebb]

Thanks to Patrice Salathe for finding this issue