From 05c9d03feda8c58eea1eb28c23aff54669357f9a Mon Sep 17 00:00:00 2001 From: xiejing Date: Tue, 5 Mar 2024 16:37:18 +0800 Subject: [PATCH] fix potential memory leak in merge_patch() --- ...rt-fix-potential-memory-leak-in-merge_patch.patch | 12 ++++++++++++ cjson.spec | 6 +++++- 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 backport-fix-potential-memory-leak-in-merge_patch.patch diff --git a/backport-fix-potential-memory-leak-in-merge_patch.patch b/backport-fix-potential-memory-leak-in-merge_patch.patch new file mode 100644 index 0000000..9bde2bd --- /dev/null +++ b/backport-fix-potential-memory-leak-in-merge_patch.patch @@ -0,0 +1,12 @@ +diff --git a/cJSON_Utils.c b/cJSON_Utils.c +index c7c6439..63651df 100644 +--- a/cJSON_Utils.c ++++ b/cJSON_Utils.c +@@ -1367,6 +1367,7 @@ static cJSON *merge_patch(cJSON *target, const cJSON * const patch, const cJSON_ + replacement = merge_patch(replace_me, patch_child, case_sensitive); + if (replacement == NULL) + { ++ cJSON_Delete(target); + return NULL; + } + diff --git a/cjson.spec b/cjson.spec index 0d57a50..ad07f22 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.15 -Release: 2 +Release: 3 Summary: Ultralightweight JSON parser in ANSI C License: MIT and ASL 2.0 @@ -8,6 +8,7 @@ URL: https://github.com/DaveGamble/cJSON Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz Patch0001: backport-CVE-2023-50471_50472.patch +Patch0002: backport-fix-potential-memory-leak-in-merge_patch.patch BuildRequires: gcc BuildRequires: cmake @@ -52,6 +53,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake %{_includedir}/cjson/ %changelog +* Tue Mar 05 2024 xiejing - 1.7.15-3 +- fix potential memory leak in merge_patch() + * Sun Dec 24 2023 liningjie - 1.7.15-2 - Fix CVE-2023-50471 CVE-2023-50472 -- Gitee