Title: JSON Pointer ~1 decoding error in cJSON decode_pointer_inplace
Description
A logic error in cJSON's JSON Pointer decoder. When decode_pointer_inplace() processes a ~1 escape sequence (which should decode to / per RFC 6901), it writes the decoded / to an incorrect position — decoded_string[1] instead of the current output cursor. As a result, ~1 is decoded as ~/ instead of /, causing cJSONUtils_ApplyPatches() to target the wrong key.
Impact
cJSONUtils_GetPointer() / cJSONUtils_ApplyPatches() resolve incorrect keys
- Data integrity issue when processing JSON Patch operations from untrusted sources
Reproduction
All materials are available in my research repository:
https://github.com/eglonnnn/opensource-fuzz-vulnerability-research/tree/main/JSON%20Pointer%20~1%20decoding%20error%20in%20cJSON%20decode_pointer_inplace
Title: JSON Pointer
~1decoding error in cJSONdecode_pointer_inplaceDescription
A logic error in cJSON's JSON Pointer decoder. When
decode_pointer_inplace()processes a~1escape sequence (which should decode to/per RFC 6901), it writes the decoded/to an incorrect position —decoded_string[1]instead of the current output cursor. As a result,~1is decoded as~/instead of/, causingcJSONUtils_ApplyPatches()to target the wrong key.Impact
cJSONUtils_GetPointer()/cJSONUtils_ApplyPatches()resolve incorrect keysReproduction
All materials are available in my research repository:
https://github.com/eglonnnn/opensource-fuzz-vulnerability-research/tree/main/JSON%20Pointer%20~1%20decoding%20error%20in%20cJSON%20decode_pointer_inplace