From d76505099f93bd056364e9de1d52bd72fda309b2 Mon Sep 17 00:00:00 2001 From: Zhao Mengmeng Date: Wed, 29 May 2024 14:45:05 +0800 Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned Backport from upstream: https://github.com/DaveGamble/cJSON/commit/542fb0eadd3db62630c1eb958e685f1d8e30694e A double free vulnerability was discovered in cJSON_Delete function through fuzzing. Fix it by set pointers to NULL immediately after they are deallocated. Links: https://github.com/DaveGamble/cJSON/issues/833 Signed-off-by: Zhao Mengmeng (cherry picked from commit 1243399bf7d1638e0f8a4943c4c553fba4964bfd) --- ...ers-to-NULL-whenever-they-are-not-re.patch | 74 +++++++++++++++++++ cjson.spec | 6 +- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch diff --git a/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch b/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch new file mode 100644 index 0000000..063bc38 --- /dev/null +++ b/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch @@ -0,0 +1,74 @@ +From 0489fa665b373d214523e318ee6b75292ea0e411 Mon Sep 17 00:00:00 2001 +From: maebex +Date: Sat, 30 Mar 2024 10:42:22 +0100 +Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned + immediately after + +--- + cJSON.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 7532e84..ab4fb35 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item) + if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL)) + { + global_hooks.deallocate(item->valuestring); ++ item->valuestring = NULL; + } + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + global_hooks.deallocate(item->string); ++ item->string = NULL; + } + global_hooks.deallocate(item); + item = next; +@@ -900,6 +902,7 @@ fail: + if (output != NULL) + { + input_buffer->hooks.deallocate(output); ++ output = NULL; + } + + if (input_pointer != NULL) +@@ -1242,6 +1245,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i + + /* free the buffer */ + hooks->deallocate(buffer->buffer); ++ buffer->buffer = NULL; + } + + return printed; +@@ -1250,11 +1254,13 @@ fail: + if (buffer->buffer != NULL) + { + hooks->deallocate(buffer->buffer); ++ buffer->buffer = NULL; + } + + if (printed != NULL) + { + hooks->deallocate(printed); ++ printed = NULL; + } + + return NULL; +@@ -1295,6 +1301,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON + if (!print_value(item, &p)) + { + global_hooks.deallocate(p.buffer); ++ p.buffer = NULL; + return NULL; + } + +@@ -3138,4 +3145,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size) + CJSON_PUBLIC(void) cJSON_free(void *object) + { + global_hooks.deallocate(object); ++ object = NULL; + } +-- +2.33.0 + diff --git a/cjson.spec b/cjson.spec index 919010f..ea2580a 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.15 -Release: 8 +Release: 9 Summary: Ultralightweight JSON parser in ANSI C License: MIT and ASL 2.0 @@ -15,6 +15,7 @@ Patch0005: backport-fix-add-allocate-check-for-replace_item_in_object-67.patch Patch0006: backport-fix-print-int-without-decimal-places-630.patch Patch0007: backport-Add-test-for-heap-buffer-overflow.patch Patch0008: backport-Fix-heap-buffer-overflow.patch +Patch0009: backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch BuildRequires: gcc BuildRequires: cmake @@ -61,6 +62,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake %{_includedir}/cjson/ %changelog +* Wed May 29 2024 Zhao Mengmeng - 1.7.15-9 +- Set free'd pointers to NULL to avoid double free + * Wed May 22 2024 xiejing - 1.7.15-8 - Fix heap buffer overflow -- Gitee