fio_json_parse can enter an infinite loop when it encounters a nested JSON value starting with i or I. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because iodine vendors the same parser code, the issue also affects iodine when it parses attacker-controlled JSON.
The smallest reproducer found is [i. The quoted-value form that originally exposed the issue, [""i, reaches the same bug because the parser tolerates missing commas and then treats the trailing i as the start of another value.
The vulnerable logic is in lib/facil/fiobj/fio_json_parser.h around the numeral handling block (0.7.5 / 0.7.6: lines 434-468; master: lines 434-468 in the current tree as tested).
This parser is reached from real library entry points, not just the header in isolation:
facil.io: lib/facil/fiobj/fiobj_json.c:377-387 (fiobj_json2obj) and 402-411 (fiobj_hash_update_json)iodine: ext/iodine/iodine_json.c:161-177 (iodine_json_convert)iodine: ext/iodine/fiobj_json.c:377-387 and 402-411Relevant flow:
i or I and jumps to the numeral: label.fio_atol((char **)&tmp).i / I, fio_atol consumes zero characters and leaves tmp == pos.JSON_NUMERAL[*tmp] is true.JSON_NUMERAL['i'] == 0, so the parser incorrectly accepts the value as an integer and sets pos = tmp without advancing.parser->depth > 0), the outer loop continues forever with the same pos.The same logic exists in iodine's vendored copy at ext/iodine/fio_json_parser.h lines 434-468.
Why the [""i form hangs:
"" as the first array element.i is then parsed as a new nested value.Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N