From f368930f9d97de19b47f16714acff3f581c05e32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=BC=A0=E6=94=80?= <zhangpan@cqsoftware.com.cn>
Date: Mon, 29 Sep 2025 15:10:43 +0800
Subject: [PATCH] Fix CVE-2025-57052
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 张攀 <zhangpan@cqsoftware.com.cn>
(cherry picked from commit 9d2da1e513011894e14250052e36d8bcfbc81849)
---
 backport-CVE-2025-57052.patch | 23 +++++++++++++++++++++++
 cjson.spec                    |  6 +++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2025-57052.patch

diff --git a/backport-CVE-2025-57052.patch b/backport-CVE-2025-57052.patch
new file mode 100644
index 0000000..7577888
--- /dev/null
+++ b/backport-CVE-2025-57052.patch
@@ -0,0 +1,23 @@
+From 74e1ff4994aa4139126967f6d289b675b4b36fef Mon Sep 17 00:00:00 2001
+From: Lee <peteralfredlee@gmail.com>
+Date: Fri, 5 Sep 2025 14:53:20 +0800
+Subject: [PATCH] fix the incorrect check in decode_array_index_from_pointer
+ (#957)
+
+this fixes CVE-2025-57052
+---
+ cJSON_Utils.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cJSON_Utils.c b/cJSON_Utils.c
+index 63651dfb..8fa24f8e 100644
+--- a/cJSON_Utils.c
++++ b/cJSON_Utils.c
+@@ -282,7 +282,7 @@ static cJSON_bool decode_array_index_from_pointer(const unsigned char * const po
+         return 0;
+     }
+ 
+-    for (position = 0; (pointer[position] >= '0') && (pointer[0] <= '9'); position++)
++    for (position = 0; (pointer[position] >= '0') && (pointer[position] <= '9'); position++)
+     {
+         parsed_index = (10 * parsed_index) + (size_t)(pointer[position] - '0');
diff --git a/cjson.spec b/cjson.spec
index 7f2571a..af825eb 100644
--- a/cjson.spec
+++ b/cjson.spec
@@ -1,6 +1,6 @@
 Name:           cjson
 Version:        1.7.18
-Release:        4
+Release:        5
 Summary:        Ultralightweight JSON parser in ANSI C
  
 License:        MIT
@@ -8,6 +8,7 @@ URL:            https://github.com/DaveGamble/cJSON
 Source0:        https://github.com/DaveGamble/cJSON/archive/refs/tags/v%{version}.tar.gz
 Patch0:         cJSON-1.7.18-port-to-newer-cmake.patch
 Patch0001:      backport-CVE-2023-26819.patch
+Patch0002:      backport-CVE-2025-57052.patch
 BuildRequires:  gcc
 BuildRequires:  cmake
 
@@ -46,6 +47,9 @@ developing applications that use cJSON.
 %{_includedir}/cjson/
 
 %changelog
+* Mon Sep 29 2025 zhangpan <zhangpan@cqsoftware.com.cn> - 1.7.18-5
+- Fix CVE-2025-57052
+
 * Tue Aug 05 2025 zhangpan <zhangpan@cqsoftware.com.cn> - 1.7.18-4
 - Fix CVE-2023-26819
 
-- 
Gitee