From 8c2fdf2ac6e4bc3e5878b8ea64b8c109504f2949 Mon Sep 17 00:00:00 2001 From: liubo Date: Thu, 28 Dec 2023 17:40:30 +0800 Subject: [PATCH] =?UTF-8?q?Description:=20=E6=BC=8F=E6=B4=9E=E5=A4=84?= =?UTF-8?q?=E7=90=86=20IssueNo:https://gitee.com/openharmony/third=5Fparty?= =?UTF-8?q?=5FcJSON/issues/I8S4Y8=20Feature=20or=20Bugfix:=20Bugfix=20Bina?= =?UTF-8?q?ry=20Source:No=20Signed-off-by:=20liubo419=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- cJSON.c | 14 ++++++++++++-- tests/misc_tests.c | 21 +++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) diff --git a/cJSON.c b/cJSON.c index f6dd11c..8411d94 100644 --- a/cJSON.c +++ b/cJSON.c @@ -401,7 +401,12 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) { char *copy = NULL; /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ - if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) + if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) + { + return NULL; + } + /* return NULL if the object is corrupted */ + if (object->valuestring == NULL) { return NULL; } @@ -2264,7 +2269,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON { cJSON *after_inserted = NULL; - if (which < 0) + if (which < 0 || newitem == NULL) { return false; } @@ -2275,6 +2280,11 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON return add_item_to_array(array, newitem); } + if (after_inserted != array->child && after_inserted->prev == NULL) { + /* return false if after_inserted is a corrupted array item */ + return false; + } + newitem->next = after_inserted; newitem->prev = after_inserted->prev; after_inserted->prev = newitem; diff --git a/tests/misc_tests.c b/tests/misc_tests.c index 19b7c85..48fb6ec 100644 --- a/tests/misc_tests.c +++ b/tests/misc_tests.c @@ -352,6 +352,19 @@ static void cjson_functions_should_not_crash_with_null_pointers(void) { char buffer[10]; cJSON *item = cJSON_CreateString("item"); + cJSON *array = cJSON_CreateArray(); + cJSON *item1 = cJSON_CreateString("item1"); + cJSON *item2 = cJSON_CreateString("corrupted array item3"); + cJSON *corruptedString = cJSON_CreateString("corrupted"); + struct cJSON *originalPrev; + + add_item_to_array(array, item1); + add_item_to_array(array, item2); + + originalPrev = item2->prev; + item2->prev = NULL; + free(corruptedString->valuestring); + corruptedString->valuestring = NULL; cJSON_InitHooks(NULL); TEST_ASSERT_NULL(cJSON_Parse(NULL)); @@ -411,6 +424,8 @@ static void cjson_functions_should_not_crash_with_null_pointers(void) cJSON_DeleteItemFromObject(item, NULL); cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item"); cJSON_DeleteItemFromObjectCaseSensitive(item, NULL); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL)); + TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item)); TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item)); TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL)); TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item)); @@ -427,10 +442,16 @@ static void cjson_functions_should_not_crash_with_null_pointers(void) TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true)); TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false)); TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false)); + TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test")); + TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test")); cJSON_Minify(NULL); /* skipped because it is only used via a macro that checks for NULL */ /* cJSON_SetNumberHelper(NULL, 0); */ + /* restore corrupted item2 to delete it */ + item2->prev = originalPrev; + cJSON_Delete(corruptedString); + cJSON_Delete(array); cJSON_Delete(item); } -- Gitee