From aac16ced40633dcb7fdae24cbdd61b0d872086f2 Mon Sep 17 00:00:00 2001 From: Zhao Mengmeng Date: Wed, 29 May 2024 14:45:05 +0800 Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned Backport from upstream: https://github.com/DaveGamble/cJSON/commit/542fb0eadd3db62630c1eb958e685f1d8e30694e A double free vulnerability was discovered in cJSON_Delete function through fuzzing. Fix it by set pointers to NULL immediately after they are deallocated. Links: https://github.com/DaveGamble/cJSON/issues/833 Signed-off-by: Zhao Mengmeng --- ...ers-to-NULL-whenever-they-are-not-re.patch | 74 +++++++++++++++++++ cjson.spec | 6 +- 2 files changed, 79 insertions(+), 1 deletion(-) create mode 100644 backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch diff --git a/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch b/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch new file mode 100644 index 0000000..063bc38 --- /dev/null +++ b/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch @@ -0,0 +1,74 @@ +From 0489fa665b373d214523e318ee6b75292ea0e411 Mon Sep 17 00:00:00 2001 +From: maebex +Date: Sat, 30 Mar 2024 10:42:22 +0100 +Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned + immediately after + +--- + cJSON.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 7532e84..ab4fb35 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item) + if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL)) + { + global_hooks.deallocate(item->valuestring); ++ item->valuestring = NULL; + } + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + global_hooks.deallocate(item->string); ++ item->string = NULL; + } + global_hooks.deallocate(item); + item = next; +@@ -900,6 +902,7 @@ fail: + if (output != NULL) + { + input_buffer->hooks.deallocate(output); ++ output = NULL; + } + + if (input_pointer != NULL) +@@ -1242,6 +1245,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i + + /* free the buffer */ + hooks->deallocate(buffer->buffer); ++ buffer->buffer = NULL; + } + + return printed; +@@ -1250,11 +1254,13 @@ fail: + if (buffer->buffer != NULL) + { + hooks->deallocate(buffer->buffer); ++ buffer->buffer = NULL; + } + + if (printed != NULL) + { + hooks->deallocate(printed); ++ printed = NULL; + } + + return NULL; +@@ -1295,6 +1301,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON + if (!print_value(item, &p)) + { + global_hooks.deallocate(p.buffer); ++ p.buffer = NULL; + return NULL; + } + +@@ -3138,4 +3145,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size) + CJSON_PUBLIC(void) cJSON_free(void *object) + { + global_hooks.deallocate(object); ++ object = NULL; + } +-- +2.33.0 + diff --git a/cjson.spec b/cjson.spec index 5beedfc..812250b 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.15 -Release: 4 +Release: 5 Summary: Ultralightweight JSON parser in ANSI C License: MIT and ASL 2.0 @@ -10,6 +10,7 @@ Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.ta Patch0001: backport-CVE-2023-50471_50472.patch Patch0002: backport-fix-potential-memory-leak-in-merge_patch.patch Patch0003: CVE-2024-31755.patch +Patch0004: backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch BuildRequires: gcc BuildRequires: cmake @@ -54,6 +55,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake %{_includedir}/cjson/ %changelog +* Wed May 29 2024 Zhao Mengmeng - 1.7.15-5 +- Set free'd pointers to NULL to avoid double free + * Fri Apr 26 2024 lvfei - 1.7.15-4 - fix CVE-2024-31755 -- Gitee