From fdb5600f2a2aca9219e26f95937ce4d54292f973 Mon Sep 17 00:00:00 2001
From: liningjie <liningjie@xfusion.com>
Date: Mon, 6 Nov 2023 14:08:01 +0800
Subject: [PATCH] Fix CVE-2023-50471 CVE-2023-50472

---
 backport-CVE-2023-50471_50472.patch | 113 ++++++++++++++++++++++++++++
 cjson.spec                          |  11 ++-
 2 files changed, 121 insertions(+), 3 deletions(-)
 create mode 100644 backport-CVE-2023-50471_50472.patch

diff --git a/backport-CVE-2023-50471_50472.patch b/backport-CVE-2023-50471_50472.patch
new file mode 100644
index 0000000..94bcdfe
--- /dev/null
+++ b/backport-CVE-2023-50471_50472.patch
@@ -0,0 +1,113 @@
+From e4f98c7f5808be93886a85523bec516a6732d524 Mon Sep 17 00:00:00 2001
+From: Lee <peterlee@apache.org>
+Date: Mon, 6 Nov 2023 14:02:49 +0800
+Subject: [PATCH] add NULL checkings (#809)
+
+* add NULL checks in cJSON_SetValuestring
+
+Fixes #803(CVE-2023-50472)
+
+* add NULL check in cJSON_InsertItemInArray
+
+Fixes #802(CVE-2023-50471)
+
+* add tests for NULL checks
+
+add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+---
+ cJSON.c            | 14 ++++++++++++--
+ tests/misc_tests.c | 21 +++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/cJSON.c b/cJSON.c
+index 3063f74..7543078 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -401,7 +401,12 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+ {
+     char *copy = NULL;
+     /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-    if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    {
++        return NULL;
++    }
++    /* return NULL if the object is corrupted */
++    if (object->valuestring == NULL)
+     {
+         return NULL;
+     }
+@@ -2260,7 +2265,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
+ {
+     cJSON *after_inserted = NULL;
+ 
+-    if (which < 0)
++    if (which < 0 || newitem == NULL)
+     {
+         return false;
+     }
+@@ -2271,6 +2276,11 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
+         return add_item_to_array(array, newitem);
+     }
+ 
++    if (after_inserted != array->child && after_inserted->prev == NULL) {
++        /* return false if after_inserted is a corrupted array item */
++        return false;
++    }
++
+     newitem->next = after_inserted;
+     newitem->prev = after_inserted->prev;
+     after_inserted->prev = newitem;
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 3bf0a1c..8031c0d 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+ {
+     char buffer[10];
+     cJSON *item = cJSON_CreateString("item");
++    cJSON *array = cJSON_CreateArray();
++    cJSON *item1 = cJSON_CreateString("item1");
++    cJSON *item2 = cJSON_CreateString("corrupted array item3");
++    cJSON *corruptedString = cJSON_CreateString("corrupted");
++    struct cJSON *originalPrev;
++
++    add_item_to_array(array, item1);
++    add_item_to_array(array, item2);
++
++    originalPrev = item2->prev;
++    item2->prev = NULL;
++    free(corruptedString->valuestring);
++    corruptedString->valuestring = NULL;
+ 
+     cJSON_InitHooks(NULL);
+     TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+     cJSON_DeleteItemFromObject(item, NULL);
+     cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+     cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+     TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+     TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+     TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+     TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+     cJSON_Minify(NULL);
+     /* skipped because it is only used via a macro that checks for NULL */
+     /* cJSON_SetNumberHelper(NULL, 0); */
+ 
++    /* restore corrupted item2 to delete it */
++    item2->prev = originalPrev;
++    cJSON_Delete(corruptedString);
++    cJSON_Delete(array);
+     cJSON_Delete(item);
+ }
+ 
+-- 
+2.33.0
+
diff --git a/cjson.spec b/cjson.spec
index 066a271..0d57a50 100644
--- a/cjson.spec
+++ b/cjson.spec
@@ -1,12 +1,14 @@
 Name:           cjson
 Version:        1.7.15
-Release:        1
+Release:        2
 Summary:        Ultralightweight JSON parser in ANSI C
  
 License:        MIT and ASL 2.0
 URL:            https://github.com/DaveGamble/cJSON
 Source0:        https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
  
+Patch0001:	backport-CVE-2023-50471_50472.patch
+
 BuildRequires:  gcc
 BuildRequires:  cmake
 
@@ -24,7 +26,7 @@ The cjson-devel package contains libraries and header files for
 developing applications that use cJSON.
   
 %prep
-%autosetup -n cJSON-%{version}
+%autosetup -n cJSON-%{version} -p1
 
 %build
 %cmake
@@ -50,5 +52,8 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
 %{_includedir}/cjson/
 
 %changelog
+* Sun Dec 24 2023 liningjie <liningjie@xfusion.com> - 1.7.15-2
+- Fix CVE-2023-50471 CVE-2023-50472
+
 * Thu Sep 23 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 1.7.15-1
-- Package Init
\ No newline at end of file
+- Package Init
-- 
Gitee