From 86301a7fe0e59c3802d441fe3012d1141017d9ce Mon Sep 17 00:00:00 2001 From: lvfei Date: Mon, 29 Apr 2024 13:57:05 +0800 Subject: [PATCH] fix CVE-2024-31755 and potential memory leak (cherry picked from commit 12d09877f421df3de1c2104b7a5529d28d5663db) --- CVE-2024-31755.patch | 47 +++++++++++++++++++ ...potential-memory-leak-in-merge_patch.patch | 12 +++++ cjson.spec | 10 +++- 3 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 CVE-2024-31755.patch create mode 100644 backport-fix-potential-memory-leak-in-merge_patch.patch diff --git a/CVE-2024-31755.patch b/CVE-2024-31755.patch new file mode 100644 index 0000000..8c20a4c --- /dev/null +++ b/CVE-2024-31755.patch @@ -0,0 +1,47 @@ +From 00c76717b4315381a1878cca2f10d08544634bf2 Mon Sep 17 00:00:00 2001 +From: Alanscut +Date: Mon, 29 Apr 2024 13:29:12 +0800 +Subject: [PATCH] CVE-2024-31755 + +Fix NULL valuestring problem in cJSON_SetValuestring. +This fixes #839 and CVE-2024-31755 +Related issue #845 + +--- + cJSON.c | 7 +++++++ + tests/misc_tests.c | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 7543078..349ebbd 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -410,6 +410,13 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) + { + return NULL; + } ++ /* NULL valuestring causes error with strlen and should be treated separately */ ++ if (valuestring == NULL) ++ { ++ cJSON_free(object->valuestring); ++ object->valuestring = NULL; ++ return NULL; ++ } + if (strlen(valuestring) <= strlen(object->valuestring)) + { + strcpy(object->valuestring, valuestring); +diff --git a/tests/misc_tests.c b/tests/misc_tests.c +index 8031c0d..c11a823 100644 +--- a/tests/misc_tests.c ++++ b/tests/misc_tests.c +@@ -445,6 +445,7 @@ static void cjson_functions_should_not_crash_with_null_pointers(void) + TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false)); + TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test")); + TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test")); ++ TEST_ASSERT_NULL(cJSON_SetValuestring(item, NULL)); + cJSON_Minify(NULL); + /* skipped because it is only used via a macro that checks for NULL */ + /* cJSON_SetNumberHelper(NULL, 0); */ +-- +2.27.0 + diff --git a/backport-fix-potential-memory-leak-in-merge_patch.patch b/backport-fix-potential-memory-leak-in-merge_patch.patch new file mode 100644 index 0000000..9bde2bd --- /dev/null +++ b/backport-fix-potential-memory-leak-in-merge_patch.patch @@ -0,0 +1,12 @@ +diff --git a/cJSON_Utils.c b/cJSON_Utils.c +index c7c6439..63651df 100644 +--- a/cJSON_Utils.c ++++ b/cJSON_Utils.c +@@ -1367,6 +1367,7 @@ static cJSON *merge_patch(cJSON *target, const cJSON * const patch, const cJSON_ + replacement = merge_patch(replace_me, patch_child, case_sensitive); + if (replacement == NULL) + { ++ cJSON_Delete(target); + return NULL; + } + diff --git a/cjson.spec b/cjson.spec index 0d57a50..5beedfc 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.15 -Release: 2 +Release: 4 Summary: Ultralightweight JSON parser in ANSI C License: MIT and ASL 2.0 @@ -8,6 +8,8 @@ URL: https://github.com/DaveGamble/cJSON Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz Patch0001: backport-CVE-2023-50471_50472.patch +Patch0002: backport-fix-potential-memory-leak-in-merge_patch.patch +Patch0003: CVE-2024-31755.patch BuildRequires: gcc BuildRequires: cmake @@ -52,6 +54,12 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake %{_includedir}/cjson/ %changelog +* Fri Apr 26 2024 lvfei - 1.7.15-4 +- fix CVE-2024-31755 + +* Tue Mar 05 2024 xiejing - 1.7.15-3 +- fix potential memory leak in merge_patch() + * Sun Dec 24 2023 liningjie - 1.7.15-2 - Fix CVE-2023-50471 CVE-2023-50472 -- Gitee