SpringBoot BasicJsonParser can fail with a stackoverflow exception

[Environment] ASAN_OPTIONS=alloc_dealloc_mismatch=0:allocator_may_return_null=1:allow_user_segv_handler=0:check_malloc_usable_size=0:detect_leaks=1:detect_stack_use_after_return=1:fast_unwind_on_fatal=0:handle_segv=2:handle_sigbus=2:handle_sigfpe=2:max_uar_stack_size_log=16:print_scariness=1:print_summary=1:print_suppressions=0:quarantine_size_mb=64:redzone=32:strip_path_prefix=/workspace/:use_sigaltstack=1
    +----------------------------------------Release Build Stacktrace----------------------------------------+
    Command: /mnt/scratch0/clusterfuzz/resources/platform/linux/unshare -c -n /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/BasicJsonParserFuzzer -rss_limit_mb=2560 -timeout=60 -runs=100 /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c354f05a89eee24be693d60b123128031aa89341
    Time ran: 16.316258668899536

    OpenJDK 64-Bit Server VM warning: Option CriticalJNINatives was deprecated in version 16.0 and will likely be removed in a future release.
    OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
    INFO: Loaded 118 hooks from com.code_intelligence.jazzer.runtime.TraceCmpHooks
    INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.TraceDivHooks
    INFO: Loaded 2 hooks from com.code_intelligence.jazzer.runtime.TraceIndirHooks
    INFO: Loaded 4 hooks from com.code_intelligence.jazzer.runtime.NativeLibHooks
    INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.Deserialization
    INFO: Loaded 3 hooks from com.code_intelligence.jazzer.sanitizers.ExpressionLanguageInjection
    INFO: Loaded 70 hooks from com.code_intelligence.jazzer.sanitizers.LdapInjection
    INFO: Loaded 46 hooks from com.code_intelligence.jazzer.sanitizers.NamingContextLookup
    INFO: Loaded 1 hooks from com.code_intelligence.jazzer.sanitizers.OsCommandInjection
    INFO: Loaded 68 hooks from com.code_intelligence.jazzer.sanitizers.ReflectiveCall
    INFO: Loaded 8 hooks from com.code_intelligence.jazzer.sanitizers.RegexInjection
    INFO: Loaded 16 hooks from com.code_intelligence.jazzer.sanitizers.RegexRoadblocks
    INFO: Loaded 19 hooks from com.code_intelligence.jazzer.sanitizers.SqlInjection
    INFO: Instrumented java.util.regex.Pattern$BnM with custom hooks only (took 22 ms, size +20%)
    INFO: Instrumented java.util.regex.Pattern$BackRef with custom hooks only (took 6 ms, size +34%)
    INFO: Instrumented java.util.regex.Pattern$Branch with custom hooks only (took 5 ms, size +27%)
    INFO: Instrumented java.util.regex.Pattern$BranchConn with custom hooks only (took 3 ms, size +56%)
    INFO: Instrumented java.util.regex.Pattern$BmpCharPropertyGreedy with custom hooks only (took 2 ms, size +31%)
    INFO: Instrumented java.util.regex.Pattern$GroupCurly with custom hooks only (took 10 ms, size +34%)
    INFO: Instrumented java.util.regex.Pattern$Ques with custom hooks only (took 4 ms, size +78%)
    INFO: Instrumented java.util.regex.Pattern$Curly with custom hooks only (took 21 ms, size +50%)
    INFO: Instrumented java.util.regex.Matcher with custom hooks only (took 65 ms, size +4%)
    INFO: Instrumented java.util.regex.Pattern$StartS with custom hooks only (took 3 ms, size +35%)
    INFO: Instrumented java.util.regex.Pattern$Start with custom hooks only (took 7 ms, size +35%)
    INFO: Instrumented java.util.regex.Pattern$First with custom hooks only (took 4 ms, size +52%)
    INFO: Instrumented java.util.regex.Pattern$Slice with custom hooks only (took 2 ms, size +44%)
    INFO: Instrumented java.util.regex.Pattern$CharPropertyGreedy with custom hooks only (took 3 ms, size +22%)
    INFO: Instrumented java.util.regex.Pattern$BmpCharProperty with custom hooks only (took 3 ms, size +35%)
    INFO: Instrumented java.util.regex.Pattern$CharProperty with custom hooks only (took 4 ms, size +33%)
    INFO: Instrumented java.util.regex.Pattern$GroupHead with custom hooks only (took 2 ms, size +49%)
    INFO: Instrumented java.util.regex.Pattern with custom hooks only (took 66 ms, size +2%)
    INFO: Instrumented BasicJsonParserFuzzer (took 26 ms, size +14%)
    INFO: Instrumented org.springframework.boot.json.JsonParseException (took 4 ms, size +16%)
    INFO: libFuzzer ignores flags that start with '--'
    INFO: Running with entropic power schedule (0xFF, 100).
    INFO: Seed: 3822986206
    INFO: Loaded 1 modules   (512 inline 8-bit counters): 512 [0x7f650f454010, 0x7f650f454210),
    INFO: Loaded 1 PC tables (512 PCs): 512 [0x1ec1130,0x1ec3130),
    /mnt/scratch0/clusterfuzz/bot/builds/clusterfuzz-builds_spring-boot_71ef79aa9a370f830c27d84b0234a0a79e9c6a03/revisions/jazzer_driver: Running 1 inputs 100 time(s) each.
    Running: /mnt/scratch0/clusterfuzz/bot/inputs/fuzzer-testcases/crash-c354f05a89eee24be693d60b123128031aa89341
    INFO: Instrumented org.springframework.boot.json.BasicJsonParser (took 46 ms, size +25%)
    INFO: Instrumented org.springframework.boot.json.AbstractJsonParser (took 14 ms, size +19%)
    INFO: Instrumented org.springframework.boot.json.JsonParser (took 21 ms, size +0%)
    INFO: Instrumented org.springframework.util.StringUtils (took 120 ms, size +36%)
    INFO: New number of coverage counters: 1024
    INFO: Instrumented org.springframework.util.ObjectUtils (took 115 ms, size +28%)
    INFO: Instrumented java.util.regex.Pattern$SliceS with custom hooks only (took 2 ms, size +42%)
    INFO: Instrumented java.lang.ProcessBuilder with custom hooks only (took 13 ms, size +6%)

    == Java Exception: com.code_intelligence.jazzer.api.FuzzerSecurityIssueLow: Stack overflow (use '-Xss921k' to reproduce)
     at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
     at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
    Caused by: java.lang.StackOverflowError
     at java.base/java.nio.charset.CharsetEncoder.<init>(CharsetEncoder.java:233)
     at java.base/sun.nio.cs.CESU_8$Encoder.<init>(CESU_8.java:401)
     at java.base/sun.nio.cs.CESU_8.newEncoder(CESU_8.java:70)
     at java.base/java.lang.String.encodeWithEncoder(String.java:837)
     at java.base/java.lang.String.encode(String.java:833)
     at java.base/java.lang.String.getBytes(String.java:1786)
     at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.encodeForLibFuzzer(TraceDataFlowNativeCallbacks.java:166)
     at com.code_intelligence.jazzer.runtime.TraceDataFlowNativeCallbacks.traceStrstr(TraceDataFlowNativeCallbacks.java:82)
     at com.code_intelligence.jazzer.runtime.TraceCmpHooks.startsWith(TraceCmpHooks.java:198)
     at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:60)
     at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
     at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
     at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
     at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
     at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
     at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
     at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
     at org.springframework.boot.json.BasicJsonParser.parseInternal(BasicJsonParser.java:64)
     at org.springframework.boot.json.BasicJsonParser.parseMapInternal(BasicJsonParser.java:104)
    (...)

Comment From: philwebb

large-malformed-json.txt

Comment From: philwebb

Thanks to Patrice Salathe for finding this issue