From de2287f5749877ef1df2c28ef84c5d3609651969 Mon Sep 17 00:00:00 2001 From: Zhao Mengmeng Date: Wed, 29 May 2024 14:45:05 +0800 Subject: [PATCH] Sync patches from 24.03 branch Sync these patches from 24.03 branch: - Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch - backport-Add-test-for-heap-buffer-overflow.patch - backport-Fix-heap-buffer-overflow.patch - backport-fix-add-allocate-check-for-replace_item_in_object-67.patch - backport-fix-print-int-without-decimal-places-630.patch - backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch Signed-off-by: Zhao Mengmeng --- ...er-crash-in-cJSON_ReplaceItemViaPoin.patch | 25 ++++++ ...rt-Add-test-for-heap-buffer-overflow.patch | 58 ++++++++++++++ backport-Fix-heap-buffer-overflow.patch | 29 +++++++ ...ers-to-NULL-whenever-they-are-not-re.patch | 74 +++++++++++++++++ ...-check-for-replace_item_in_object-67.patch | 80 +++++++++++++++++++ ...print-int-without-decimal-places-630.patch | 26 ++++++ cjson.spec | 11 ++- 7 files changed, 302 insertions(+), 1 deletion(-) create mode 100644 Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch create mode 100644 backport-Add-test-for-heap-buffer-overflow.patch create mode 100644 backport-Fix-heap-buffer-overflow.patch create mode 100644 backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch create mode 100644 backport-fix-add-allocate-check-for-replace_item_in_object-67.patch create mode 100644 backport-fix-print-int-without-decimal-places-630.patch diff --git a/Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch b/Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch new file mode 100644 index 0000000..edd1d1f --- /dev/null +++ b/Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch @@ -0,0 +1,25 @@ +From 73d8cbbaf1c8b5ceb5a46a8e7d9a24aa3edaf0a3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=E8=82=96=E5=9C=A8?= +Date: Tue, 7 May 2024 11:40:54 +0800 +Subject: [PATCH] Fix a null pointer crash in cJSON_ReplaceItemViaPointer + +--- + cJSON.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cJSON.c b/cJSON.c +index 349ebbd..a1073ed 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -2304,7 +2304,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON + + CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement) + { +- if ((parent == NULL) || (replacement == NULL) || (item == NULL)) ++ if ((parent == NULL) || (parent->child == NULL) || (replacement == NULL) || (item == NULL)) + { + return false; + } +-- +2.33.0 + diff --git a/backport-Add-test-for-heap-buffer-overflow.patch b/backport-Add-test-for-heap-buffer-overflow.patch new file mode 100644 index 0000000..fb2b74a --- /dev/null +++ b/backport-Add-test-for-heap-buffer-overflow.patch @@ -0,0 +1,58 @@ +From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001 +From: orri +Date: Tue, 30 Apr 2024 09:46:17 +0000 +Subject: [PATCH 1/2] Add test for heap buffer overflow + +From #800 +--- + tests/parse_examples.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/tests/parse_examples.c b/tests/parse_examples.c +index 95a0959..d35d6cf 100644 +--- a/tests/parse_examples.c ++++ b/tests/parse_examples.c +@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void) + } + } + ++/* Address Sanitizer */ ++static void test15_should_not_heap_buffer_overflow(void) ++{ ++ const char *strings[] = { ++ "{\"1\":1,", ++ "{\"1\":1, ", ++ }; ++ ++ size_t i; ++ ++ for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1) ++ { ++ const char *json_string = strings[i]; ++ size_t len = strlen(json_string); ++ cJSON *json = NULL; ++ ++ char *exact_size_heap = (char*)malloc(len); ++ TEST_ASSERT_NOT_NULL(exact_size_heap); ++ ++ memcpy(exact_size_heap, json_string, len); ++ json = cJSON_ParseWithLength(exact_size_heap, len); ++ ++ cJSON_Delete(json); ++ free(exact_size_heap); ++ } ++} ++ + int CJSON_CDECL main(void) + { + UNITY_BEGIN(); +@@ -267,5 +294,6 @@ int CJSON_CDECL main(void) + RUN_TEST(test12_should_not_be_parsed); + RUN_TEST(test13_should_be_parsed_without_null_termination); + RUN_TEST(test14_should_not_be_parsed); ++ RUN_TEST(test15_should_not_heap_buffer_overflow); + return UNITY_END(); + } +-- +2.43.0 + diff --git a/backport-Fix-heap-buffer-overflow.patch b/backport-Fix-heap-buffer-overflow.patch new file mode 100644 index 0000000..b9d5245 --- /dev/null +++ b/backport-Fix-heap-buffer-overflow.patch @@ -0,0 +1,29 @@ +From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001 +From: orri +Date: Tue, 30 Apr 2024 09:50:19 +0000 +Subject: [PATCH 2/2] Fix heap buffer overflow + +Fixes #800 +--- + cJSON.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 4f5b38d..97564bb 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu + current_item = new_item; + } + ++ if (cannot_access_at_index(input_buffer, 1)) ++ { ++ goto fail; /* nothing comes after the comma */ ++ } ++ + /* parse the name of the child */ + input_buffer->offset++; + buffer_skip_whitespace(input_buffer); +-- +2.43.0 + diff --git a/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch b/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch new file mode 100644 index 0000000..063bc38 --- /dev/null +++ b/backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch @@ -0,0 +1,74 @@ +From 0489fa665b373d214523e318ee6b75292ea0e411 Mon Sep 17 00:00:00 2001 +From: maebex +Date: Sat, 30 Mar 2024 10:42:22 +0100 +Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned + immediately after + +--- + cJSON.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 7532e84..ab4fb35 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item) + if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL)) + { + global_hooks.deallocate(item->valuestring); ++ item->valuestring = NULL; + } + if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) + { + global_hooks.deallocate(item->string); ++ item->string = NULL; + } + global_hooks.deallocate(item); + item = next; +@@ -900,6 +902,7 @@ fail: + if (output != NULL) + { + input_buffer->hooks.deallocate(output); ++ output = NULL; + } + + if (input_pointer != NULL) +@@ -1242,6 +1245,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i + + /* free the buffer */ + hooks->deallocate(buffer->buffer); ++ buffer->buffer = NULL; + } + + return printed; +@@ -1250,11 +1254,13 @@ fail: + if (buffer->buffer != NULL) + { + hooks->deallocate(buffer->buffer); ++ buffer->buffer = NULL; + } + + if (printed != NULL) + { + hooks->deallocate(printed); ++ printed = NULL; + } + + return NULL; +@@ -1295,6 +1301,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON + if (!print_value(item, &p)) + { + global_hooks.deallocate(p.buffer); ++ p.buffer = NULL; + return NULL; + } + +@@ -3138,4 +3145,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size) + CJSON_PUBLIC(void) cJSON_free(void *object) + { + global_hooks.deallocate(object); ++ object = NULL; + } +-- +2.33.0 + diff --git a/backport-fix-add-allocate-check-for-replace_item_in_object-67.patch b/backport-fix-add-allocate-check-for-replace_item_in_object-67.patch new file mode 100644 index 0000000..692a9ed --- /dev/null +++ b/backport-fix-add-allocate-check-for-replace_item_in_object-67.patch @@ -0,0 +1,80 @@ +From b45f48e600671feade0b6bd65d1c69de7899f2be Mon Sep 17 00:00:00 2001 +From: Junbo Zheng <3273070@qq.com> +Date: Tue, 29 Mar 2022 15:02:59 +0800 +Subject: [PATCH] fix: add allocate check for replace_item_in_object (#675) + +Signed-off-by: Junbo Zheng +--- + cJSON.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/cJSON.c b/cJSON.c +index c78aac6..524ba46 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -96,9 +96,9 @@ CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void) + return (const char*) (global_error.json + global_error.position); + } + +-CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) ++CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) + { +- if (!cJSON_IsString(item)) ++ if (!cJSON_IsString(item)) + { + return NULL; + } +@@ -106,9 +106,9 @@ CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) + return item->valuestring; + } + +-CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) ++CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) + { +- if (!cJSON_IsNumber(item)) ++ if (!cJSON_IsNumber(item)) + { + return (double) NAN; + } +@@ -511,7 +511,7 @@ static unsigned char* ensure(printbuffer * const p, size_t needed) + + return NULL; + } +- ++ + memcpy(newbuffer, p->buffer, p->offset + 1); + p->hooks.deallocate(p->buffer); + } +@@ -1107,7 +1107,7 @@ CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer + } + + buffer.content = (const unsigned char*)value; +- buffer.length = buffer_length; ++ buffer.length = buffer_length; + buffer.offset = 0; + buffer.hooks = global_hooks; + +@@ -2361,6 +2361,11 @@ static cJSON_bool replace_item_in_object(cJSON *object, const char *string, cJSO + cJSON_free(replacement->string); + } + replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks); ++ if (replacement->string == NULL) ++ { ++ return false; ++ } ++ + replacement->type &= ~cJSON_StringIsConst; + + return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement); +@@ -2693,7 +2698,7 @@ CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int co + if (a && a->child) { + a->child->prev = n; + } +- ++ + return a; + } + +-- +2.9.3.windows.1 + diff --git a/backport-fix-print-int-without-decimal-places-630.patch b/backport-fix-print-int-without-decimal-places-630.patch new file mode 100644 index 0000000..d87b70c --- /dev/null +++ b/backport-fix-print-int-without-decimal-places-630.patch @@ -0,0 +1,26 @@ +From d321fa9e6e574ff93518f6384865b9af0a4a4afc Mon Sep 17 00:00:00 2001 +From: AlexanderVasiljev <48011002+AlexanderVasiljev@users.noreply.github.com> +Date: Wed, 19 Jan 2022 05:30:31 +0300 +Subject: [PATCH] fix: print int without decimal places (#630) + +--- + cJSON.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/cJSON.c b/cJSON.c +index 3063f74..c78aac6 100644 +--- a/cJSON.c ++++ b/cJSON.c +@@ -562,6 +562,10 @@ static cJSON_bool print_number(const cJSON * const item, printbuffer * const out + { + length = sprintf((char*)number_buffer, "null"); + } ++ else if(d == (double)item->valueint) ++ { ++ length = sprintf((char*)number_buffer, "%d", item->valueint); ++ } + else + { + /* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */ +-- + diff --git a/cjson.spec b/cjson.spec index 5beedfc..d917314 100644 --- a/cjson.spec +++ b/cjson.spec @@ -1,6 +1,6 @@ Name: cjson Version: 1.7.15 -Release: 4 +Release: 5 Summary: Ultralightweight JSON parser in ANSI C License: MIT and ASL 2.0 @@ -10,6 +10,12 @@ Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.ta Patch0001: backport-CVE-2023-50471_50472.patch Patch0002: backport-fix-potential-memory-leak-in-merge_patch.patch Patch0003: CVE-2024-31755.patch +Patch0004: Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch +Patch0005: backport-fix-add-allocate-check-for-replace_item_in_object-67.patch +Patch0006: backport-fix-print-int-without-decimal-places-630.patch +Patch0007: backport-Add-test-for-heap-buffer-overflow.patch +Patch0008: backport-Fix-heap-buffer-overflow.patch +Patch0009: backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch BuildRequires: gcc BuildRequires: cmake @@ -54,6 +60,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake %{_includedir}/cjson/ %changelog +* Tue Jun 18 2024 Zhao Mengmeng - 1.7.15-5 +- sync patches from 24.03 branches + * Fri Apr 26 2024 lvfei - 1.7.15-4 - fix CVE-2024-31755 -- Gitee