packages/cjson
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-50471 CVE-2023-50472

Browse Source 
(cherry picked from commit fdb5600f2a2aca9219e26f95937ce4d54292f973)
This commit is contained in:
liningjie 2023-11-06 14:08:01 +08:00 committed by openeuler-sync-bot
parent bd6e439b41
commit 08a539b592
2 changed files with 121 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
backport-CVE-2023-50471_50472.patch Normal file
View File

@ -0,0 +1,113 @@
From e4f98c7f5808be93886a85523bec516a6732d524 Mon Sep 17 00:00:00 2001
From: Lee <peterlee@apache.org>
Date: Mon, 6 Nov 2023 14:02:49 +0800
Subject: [PATCH] add NULL checkings (#809)
* add NULL checks in cJSON_SetValuestring
Fixes #803(CVE-2023-50472)
* add NULL check in cJSON_InsertItemInArray
Fixes #802(CVE-2023-50471)
* add tests for NULL checks
add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
---
cJSON.c | 14 ++++++++++++--
tests/misc_tests.c | 21 +++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/cJSON.c b/cJSON.c
index 3063f74..7543078 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -401,7 +401,12 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
char *copy = NULL;
/* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
+ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
+ {
+ return NULL;
+ }
+ /* return NULL if the object is corrupted */
+ if (object->valuestring == NULL)
{
return NULL;
}
@@ -2260,7 +2265,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
{
cJSON *after_inserted = NULL;
- if (which < 0)
+ if (which < 0 || newitem == NULL)
{
return false;
}
@@ -2271,6 +2276,11 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
return add_item_to_array(array, newitem);
}
+ if (after_inserted != array->child && after_inserted->prev == NULL) {
+ /* return false if after_inserted is a corrupted array item */
+ return false;
+ }
+
newitem->next = after_inserted;
newitem->prev = after_inserted->prev;
after_inserted->prev = newitem;
diff --git a/tests/misc_tests.c b/tests/misc_tests.c
index 3bf0a1c..8031c0d 100644
--- a/tests/misc_tests.c
+++ b/tests/misc_tests.c
@@ -353,6 +353,19 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
{
char buffer[10];
cJSON *item = cJSON_CreateString("item");
+ cJSON *array = cJSON_CreateArray();
+ cJSON *item1 = cJSON_CreateString("item1");
+ cJSON *item2 = cJSON_CreateString("corrupted array item3");
+ cJSON *corruptedString = cJSON_CreateString("corrupted");
+ struct cJSON *originalPrev;
+
+ add_item_to_array(array, item1);
+ add_item_to_array(array, item2);
+
+ originalPrev = item2->prev;
+ item2->prev = NULL;
+ free(corruptedString->valuestring);
+ corruptedString->valuestring = NULL;
cJSON_InitHooks(NULL);
TEST_ASSERT_NULL(cJSON_Parse(NULL));
@@ -412,6 +425,8 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
cJSON_DeleteItemFromObject(item, NULL);
cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
@@ -428,10 +443,16 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
cJSON_Minify(NULL);
/* skipped because it is only used via a macro that checks for NULL */
/* cJSON_SetNumberHelper(NULL, 0); */
+ /* restore corrupted item2 to delete it */
+ item2->prev = originalPrev;
+ cJSON_Delete(corruptedString);
+ cJSON_Delete(array);
cJSON_Delete(item);
}
--
2.33.0

9
cjson.spec
View File

@ -1,12 +1,14 @@
Name: cjson Name: cjson
Version: 1.7.15 Version: 1.7.15
Release: 1 Release: 2
Summary: Ultralightweight JSON parser in ANSI C Summary: Ultralightweight JSON parser in ANSI C
License: MIT and ASL 2.0 License: MIT and ASL 2.0
URL: https://github.com/DaveGamble/cJSON URL: https://github.com/DaveGamble/cJSON
Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
Patch0001: backport-CVE-2023-50471_50472.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: cmake BuildRequires: cmake
@ -24,7 +26,7 @@ The cjson-devel package contains libraries and header files for
developing applications that use cJSON. developing applications that use cJSON.
%prep %prep
%autosetup -n cJSON-%{version} %autosetup -n cJSON-%{version} -p1
%build %build
%cmake %cmake
@ -50,5 +52,8 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
%{_includedir}/cjson/ %{_includedir}/cjson/
%changelog %changelog
* Sun Dec 24 2023 liningjie <liningjie@xfusion.com> - 1.7.15-2
- Fix CVE-2023-50471 CVE-2023-50472
* Thu Sep 23 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 1.7.15-1 * Thu Sep 23 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 1.7.15-1
- Package Init - Package Init