diff --git a/backport-Add-test-for-heap-buffer-overflow.patch b/backport-Add-test-for-heap-buffer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..fb2b74a4dad4a872f8b5238aaffc8f3dc980e965 --- /dev/null +++ b/backport-Add-test-for-heap-buffer-overflow.patch @@ -0,0 +1,58 @@ +From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001 +From: orri +Date: Tue, 30 Apr 2024 09:46:17 +0000 +Subject: [PATCH 1/2] Add test for heap buffer overflow + +From #800 +--- + tests/parse_examples.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tests/parse_examples.c b/tests/parse_examples.c +index 95a0959..d35d6cf 100644 +--- a/tests/parse_examples.c ++++ b/tests/parse_examples.c +@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void) + } + } + ++/* Address Sanitizer */ ++static void test15_should_not_heap_buffer_overflow(void) ++{ ++ const char *strings[] = { ++ "{\"1\":1,", ++ "{\"1\":1, ", ++ }; ++ ++ size_t i; ++ ++ for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1) ++ { ++ const char *json_string = strings[i]; ++ size_t len = strlen(json_string); ++ cJSON *json = NULL; ++ ++ char *exact_size_heap = (char*)malloc(len); ++ TEST_ASSERT_NOT_NULL(exact_size_heap); ++ ++ memcpy(exact_size_heap, json_string, len); ++ json = cJSON_ParseWithLength(exact_size_heap, len); ++ ++ cJSON_Delete(json); ++ free(exact_size_heap); ++ } ++} ++ + int CJSON_CDECL main(void) + { + UNITY_BEGIN(); +@@ -267,5 +294,6 @@ int CJSON_CDECL main(void) + RUN_TEST(test12_should_not_be_parsed); + RUN_TEST(test13_should_be_parsed_without_null_termination); + RUN_TEST(test14_should_not_be_parsed); ++ RUN_TEST(test15_should_not_heap_buffer_overflow); + return UNITY_END(); + } +-- +2.43.0 + diff --git a/backport-Fix-heap-buffer-overflow.patch b/backport-Fix-heap-buffer-overflow.patch new file mode 100644 index 0000000000000000000000000000000000000000..b9d52456c980fecfcb02dcb067b65c244a2eb021 --- /dev/null +++ b/backport-Fix-heap-buffer-overflow.patch @@ -0,0 +1,29 @@ +From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001 +From: orri +Date: Tue, 30 Apr 2024 09:50:19 +0000 +Subject: [PATCH 2/2] Fix heap buffer overflow + +Fixes #800 +--- + cJSON.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 4f5b38d..97564bb 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu + current_item = new_item; + } + ++ if (cannot_access_at_index(input_buffer, 1)) ++ { ++ goto fail; /* nothing comes after the comma */ ++ } ++ + /* parse the name of the child */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); +-- +2.43.0 + diff --git a/cjson.spec b/cjson.spec index 07d0f90f113fdac0f2bc9c4a74b6c5032ed0f519..919010f090641413e3c919e962d0f93d9266f9d1 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.15 -Release: 7 +Release: 8 Summary: Ultralightweight JSON parser in ANSI C License: MIT and ASL 2.0 @@ -13,6 +13,8 @@ Patch0003: CVE-2024-31755.patch Patch0004: Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch Patch0005: backport-fix-add-allocate-check-for-replace_item_in_object-67.patch Patch0006: backport-fix-print-int-without-decimal-places-630.patch +Patch0007: backport-Add-test-for-heap-buffer-overflow.patch +Patch0008: backport-Fix-heap-buffer-overflow.patch BuildRequires: gcc BuildRequires: cmake @@ -59,6 +61,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake %{_includedir}/cjson/ %changelog +* Wed May 22 2024 xiejing - 1.7.15-8 +- Fix heap buffer overflow + * Fri May 10 2024 wuzhaomin - 1.7.15-7 - Fix print int without decimal places