packages/cjson
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:1398862821dcdaaca23bf3e9f26bf79b327489b9
Branches Tags
packages:main
..
compare: packages:bf5ef6bda332b3e17311ab72c96574ea5588ad25
Branches Tags
packages:main

No commits in common. "1398862821dcdaaca23bf3e9f26bf79b327489b9" and "bf5ef6bda332b3e17311ab72c96574ea5588ad25" have entirely different histories.
1398862821 ... bf5ef6bda3

12 changed files with 0 additions and 544 deletions
Show Stats Expand all files Collapse all files

47
CVE-2024-31755.patch
View File

@ -1,47 +0,0 @@
From 00c76717b4315381a1878cca2f10d08544634bf2 Mon Sep 17 00:00:00 2001
From: Alanscut <Alanscut@google.com>
Date: Mon, 29 Apr 2024 13:29:12 +0800
Subject: [PATCH] CVE-2024-31755
Fix NULL valuestring problem in cJSON_SetValuestring.
This fixes #839 and CVE-2024-31755
Related issue #845
---
cJSON.c | 7 +++++++
tests/misc_tests.c | 1 +
2 files changed, 8 insertions(+)
diff --git a/cJSON.c b/cJSON.c
index 7543078..349ebbd 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -410,6 +410,13 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
return NULL;
}
+ /* NULL valuestring causes error with strlen and should be treated separately */
+ if (valuestring == NULL)
+ {
+ cJSON_free(object->valuestring);
+ object->valuestring = NULL;
+ return NULL;
+ }
if (strlen(valuestring) <= strlen(object->valuestring))
{
strcpy(object->valuestring, valuestring);
diff --git a/tests/misc_tests.c b/tests/misc_tests.c
index 8031c0d..c11a823 100644
--- a/tests/misc_tests.c
+++ b/tests/misc_tests.c
@@ -445,6 +445,7 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(item, NULL));
cJSON_Minify(NULL);
/* skipped because it is only used via a macro that checks for NULL */
/* cJSON_SetNumberHelper(NULL, 0); */
--
2.27.0

25
Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch
View File

@ -1,25 +0,0 @@
From 73d8cbbaf1c8b5ceb5a46a8e7d9a24aa3edaf0a3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=82=96=E5=9C=A8?= <xiaozai@kylinos.cn>
Date: Tue, 7 May 2024 11:40:54 +0800
Subject: [PATCH] Fix a null pointer crash in cJSON_ReplaceItemViaPointer
---
cJSON.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cJSON.c b/cJSON.c
index 349ebbd..a1073ed 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -2304,7 +2304,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement)
{
- if ((parent == NULL) || (replacement == NULL) || (item == NULL))
+ if ((parent == NULL) || (parent->child == NULL) || (replacement == NULL) || (item == NULL))
{
return false;
}
--
2.33.0

58
backport-Add-test-for-heap-buffer-overflow.patch
View File

@ -1,58 +0,0 @@
From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001
From: orri <orri@systemb.is>
Date: Tue, 30 Apr 2024 09:46:17 +0000
Subject: [PATCH 1/2] Add test for heap buffer overflow
From #800
---
tests/parse_examples.c | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/tests/parse_examples.c b/tests/parse_examples.c
index 95a0959..d35d6cf 100644
--- a/tests/parse_examples.c
+++ b/tests/parse_examples.c
@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void)
}
}
+/* Address Sanitizer */
+static void test15_should_not_heap_buffer_overflow(void)
+{
+ const char *strings[] = {
+ "{\"1\":1,",
+ "{\"1\":1, ",
+ };
+
+ size_t i;
+
+ for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
+ {
+ const char *json_string = strings[i];
+ size_t len = strlen(json_string);
+ cJSON *json = NULL;
+
+ char *exact_size_heap = (char*)malloc(len);
+ TEST_ASSERT_NOT_NULL(exact_size_heap);
+
+ memcpy(exact_size_heap, json_string, len);
+ json = cJSON_ParseWithLength(exact_size_heap, len);
+
+ cJSON_Delete(json);
+ free(exact_size_heap);
+ }
+}
+
int CJSON_CDECL main(void)
{
UNITY_BEGIN();
@@ -267,5 +294,6 @@ int CJSON_CDECL main(void)
RUN_TEST(test12_should_not_be_parsed);
RUN_TEST(test13_should_be_parsed_without_null_termination);
RUN_TEST(test14_should_not_be_parsed);
+ RUN_TEST(test15_should_not_heap_buffer_overflow);
return UNITY_END();
}
--
2.43.0

113
backport-CVE-2023-50471_50472.patch
View File

@ -1,113 +0,0 @@
From e4f98c7f5808be93886a85523bec516a6732d524 Mon Sep 17 00:00:00 2001
From: Lee <peterlee@apache.org>
Date: Mon, 6 Nov 2023 14:02:49 +0800
Subject: [PATCH] add NULL checkings (#809)
* add NULL checks in cJSON_SetValuestring
Fixes #803(CVE-2023-50472)
* add NULL check in cJSON_InsertItemInArray
Fixes #802(CVE-2023-50471)
* add tests for NULL checks
add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
---
cJSON.c | 14 ++++++++++++--
tests/misc_tests.c | 21 +++++++++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/cJSON.c b/cJSON.c
index 3063f74..7543078 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -401,7 +401,12 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
{
char *copy = NULL;
/* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
- if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
+ if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
+ {
+ return NULL;
+ }
+ /* return NULL if the object is corrupted */
+ if (object->valuestring == NULL)
{
return NULL;
}
@@ -2260,7 +2265,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
{
cJSON *after_inserted = NULL;
- if (which < 0)
+ if (which < 0 || newitem == NULL)
{
return false;
}
@@ -2271,6 +2276,11 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
return add_item_to_array(array, newitem);
}
+ if (after_inserted != array->child && after_inserted->prev == NULL) {
+ /* return false if after_inserted is a corrupted array item */
+ return false;
+ }
+
newitem->next = after_inserted;
newitem->prev = after_inserted->prev;
after_inserted->prev = newitem;
diff --git a/tests/misc_tests.c b/tests/misc_tests.c
index 3bf0a1c..8031c0d 100644
--- a/tests/misc_tests.c
+++ b/tests/misc_tests.c
@@ -353,6 +353,19 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
{
char buffer[10];
cJSON *item = cJSON_CreateString("item");
+ cJSON *array = cJSON_CreateArray();
+ cJSON *item1 = cJSON_CreateString("item1");
+ cJSON *item2 = cJSON_CreateString("corrupted array item3");
+ cJSON *corruptedString = cJSON_CreateString("corrupted");
+ struct cJSON *originalPrev;
+
+ add_item_to_array(array, item1);
+ add_item_to_array(array, item2);
+
+ originalPrev = item2->prev;
+ item2->prev = NULL;
+ free(corruptedString->valuestring);
+ corruptedString->valuestring = NULL;
cJSON_InitHooks(NULL);
TEST_ASSERT_NULL(cJSON_Parse(NULL));
@@ -412,6 +425,8 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
cJSON_DeleteItemFromObject(item, NULL);
cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
+ TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
@@ -428,10 +443,16 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
+ TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
cJSON_Minify(NULL);
/* skipped because it is only used via a macro that checks for NULL */
/* cJSON_SetNumberHelper(NULL, 0); */
+ /* restore corrupted item2 to delete it */
+ item2->prev = originalPrev;
+ cJSON_Delete(corruptedString);
+ cJSON_Delete(array);
cJSON_Delete(item);
}
--
2.33.0

29
backport-Fix-heap-buffer-overflow.patch
View File

@ -1,29 +0,0 @@
From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001
From: orri <orri@systemb.is>
Date: Tue, 30 Apr 2024 09:50:19 +0000
Subject: [PATCH 2/2] Fix heap buffer overflow
Fixes #800
---
cJSON.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/cJSON.c b/cJSON.c
index 4f5b38d..97564bb 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
current_item = new_item;
}
+ if (cannot_access_at_index(input_buffer, 1))
+ {
+ goto fail; /* nothing comes after the comma */
+ }
+
/* parse the name of the child */
input_buffer->offset++;
buffer_skip_whitespace(input_buffer);
--
2.43.0

74
backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch
View File

@ -1,74 +0,0 @@
From 0489fa665b373d214523e318ee6b75292ea0e411 Mon Sep 17 00:00:00 2001
From: maebex <maximilian.berndt11@web.de>
Date: Sat, 30 Mar 2024 10:42:22 +0100
Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned
immediately after
---
cJSON.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/cJSON.c b/cJSON.c
index 7532e84..ab4fb35 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item)
if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL))
{
global_hooks.deallocate(item->valuestring);
+ item->valuestring = NULL;
}
if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
{
global_hooks.deallocate(item->string);
+ item->string = NULL;
}
global_hooks.deallocate(item);
item = next;
@@ -900,6 +902,7 @@ fail:
if (output != NULL)
{
input_buffer->hooks.deallocate(output);
+ output = NULL;
}
if (input_pointer != NULL)
@@ -1242,6 +1245,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i
/* free the buffer */
hooks->deallocate(buffer->buffer);
+ buffer->buffer = NULL;
}
return printed;
@@ -1250,11 +1254,13 @@ fail:
if (buffer->buffer != NULL)
{
hooks->deallocate(buffer->buffer);
+ buffer->buffer = NULL;
}
if (printed != NULL)
{
hooks->deallocate(printed);
+ printed = NULL;
}
return NULL;
@@ -1295,6 +1301,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON
if (!print_value(item, &p))
{
global_hooks.deallocate(p.buffer);
+ p.buffer = NULL;
return NULL;
}
@@ -3138,4 +3145,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size)
CJSON_PUBLIC(void) cJSON_free(void *object)
{
global_hooks.deallocate(object);
+ object = NULL;
}
--
2.33.0

80
backport-fix-add-allocate-check-for-replace_item_in_object-67.patch
View File

@ -1,80 +0,0 @@
From b45f48e600671feade0b6bd65d1c69de7899f2be Mon Sep 17 00:00:00 2001
From: Junbo Zheng <3273070@qq.com>
Date: Tue, 29 Mar 2022 15:02:59 +0800
Subject: [PATCH] fix: add allocate check for replace_item_in_object (#675)
Signed-off-by: Junbo Zheng <zhengjunbo1@xiaomi.com>
---
cJSON.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/cJSON.c b/cJSON.c
index c78aac6..524ba46 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -96,9 +96,9 @@ CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void)
return (const char*) (global_error.json + global_error.position);
}
-CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
+CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
{
- if (!cJSON_IsString(item))
+ if (!cJSON_IsString(item))
{
return NULL;
}
@@ -106,9 +106,9 @@ CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
return item->valuestring;
}
-CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item)
+CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item)
{
- if (!cJSON_IsNumber(item))
+ if (!cJSON_IsNumber(item))
{
return (double) NAN;
}
@@ -511,7 +511,7 @@ static unsigned char* ensure(printbuffer * const p, size_t needed)
return NULL;
}
-
+
memcpy(newbuffer, p->buffer, p->offset + 1);
p->hooks.deallocate(p->buffer);
}
@@ -1107,7 +1107,7 @@ CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer
}
buffer.content = (const unsigned char*)value;
- buffer.length = buffer_length;
+ buffer.length = buffer_length;
buffer.offset = 0;
buffer.hooks = global_hooks;
@@ -2361,6 +2361,11 @@ static cJSON_bool replace_item_in_object(cJSON *object, const char *string, cJSO
cJSON_free(replacement->string);
}
replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks);
+ if (replacement->string == NULL)
+ {
+ return false;
+ }
+
replacement->type &= ~cJSON_StringIsConst;
return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement);
@@ -2693,7 +2698,7 @@ CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int co
if (a && a->child) {
a->child->prev = n;
}
-
+
return a;
}
--
2.9.3.windows.1

12
backport-fix-potential-memory-leak-in-merge_patch.patch
View File

@ -1,12 +0,0 @@
diff --git a/cJSON_Utils.c b/cJSON_Utils.c
index c7c6439..63651df 100644
--- a/cJSON_Utils.c
+++ b/cJSON_Utils.c
@@ -1367,6 +1367,7 @@ static cJSON *merge_patch(cJSON *target, const cJSON * const patch, const cJSON_
replacement = merge_patch(replace_me, patch_child, case_sensitive);
if (replacement == NULL)
{
+ cJSON_Delete(target);
return NULL;
}

26
backport-fix-print-int-without-decimal-places-630.patch
View File

@ -1,26 +0,0 @@
From d321fa9e6e574ff93518f6384865b9af0a4a4afc Mon Sep 17 00:00:00 2001
From: AlexanderVasiljev <48011002+AlexanderVasiljev@users.noreply.github.com>
Date: Wed, 19 Jan 2022 05:30:31 +0300
Subject: [PATCH] fix: print int without decimal places (#630)
---
cJSON.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/cJSON.c b/cJSON.c
index 3063f74..c78aac6 100644
--- a/cJSON.c
+++ b/cJSON.c
@@ -562,6 +562,10 @@ static cJSON_bool print_number(const cJSON * const item, printbuffer * const out
{
length = sprintf((char*)number_buffer, "null");
}
+ else if(d == (double)item->valueint)
+ {
+ length = sprintf((char*)number_buffer, "%d", item->valueint);
+ }
else
{
/* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */
--

76
cjson.spec
View File

@ -1,76 +0,0 @@
Name: cjson
Version: 1.7.15
Release: 5
Summary: Ultralightweight JSON parser in ANSI C
License: MIT and ASL 2.0
URL: https://github.com/DaveGamble/cJSON
Source0: https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
Patch0001: backport-CVE-2023-50471_50472.patch
Patch0002: backport-fix-potential-memory-leak-in-merge_patch.patch
Patch0003: CVE-2024-31755.patch
Patch0004: Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch
Patch0005: backport-fix-add-allocate-check-for-replace_item_in_object-67.patch
Patch0006: backport-fix-print-int-without-decimal-places-630.patch
Patch0007: backport-Add-test-for-heap-buffer-overflow.patch
Patch0008: backport-Fix-heap-buffer-overflow.patch
Patch0009: backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch
BuildRequires: gcc
BuildRequires: cmake
%description
cJSON aims to be the dumbest possible parser that you can get your job
done with. It's a single file of C, and a single header file.
%package devel
Summary: Development files for cJSON
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: pkgconfig
%description devel
The cjson-devel package contains libraries and header files for
developing applications that use cJSON.
%prep
%autosetup -n cJSON-%{version} -p1
%build
%cmake
%make_build
%install
%make_install
rm -f %{buildroot}%{_libdir}/*.{la,a}
rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%license LICENSE
%doc README.md
%{_libdir}/libcjson*.so.*
%files devel
%doc CHANGELOG.md CONTRIBUTORS.md
%{_libdir}/libcjson.so
%{_libdir}/pkgconfig/libcjson.pc
%{_includedir}/cjson/
%changelog
* Tue Jun 18 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.7.15-5
- sync patches from 24.03 branches
* Fri Apr 26 2024 lvfei <lvfei@kylinos.cn> - 1.7.15-4
- fix CVE-2024-31755
* Tue Mar 05 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-3
- fix potential memory leak in merge_patch()
* Sun Dec 24 2023 liningjie <liningjie@xfusion.com> - 1.7.15-2
- Fix CVE-2023-50471 CVE-2023-50472
* Thu Sep 23 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 1.7.15-1
- Package Init

4
cjson.yaml
View File

@ -1,4 +0,0 @@
version_control: github
src_repo: DaveGamble/cJSON
tag_prefix: ""
separator: "."

BIN
v1.7.15.tar.gz
View File

Binary file not shown.