!40 Sync patches from 24.03 branch

From: @mmzzmm 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

CVE-2024-31755.patch

@@ -0,0 +1,47 @@
+From 00c76717b4315381a1878cca2f10d08544634bf2 Mon Sep 17 00:00:00 2001
+From: Alanscut <Alanscut@google.com>
+Date: Mon, 29 Apr 2024 13:29:12 +0800
+Subject: [PATCH] CVE-2024-31755
+
+Fix NULL valuestring problem in cJSON_SetValuestring.
+This fixes #839 and CVE-2024-31755
+Related issue #845
+
+---
+ cJSON.c            | 7 +++++++
+ tests/misc_tests.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 7543078..349ebbd 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -410,6 +410,13 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+     {
+         return NULL;
+     }
++    /* NULL valuestring causes error with strlen and should be treated separately */
++    if (valuestring == NULL)
++    {
++        cJSON_free(object->valuestring);
++        object->valuestring = NULL;
++        return NULL;
++    }
+     if (strlen(valuestring) <= strlen(object->valuestring))
+     {
+         strcpy(object->valuestring, valuestring);
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 8031c0d..c11a823 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -445,6 +445,7 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+     TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
+     TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
+     TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(item, NULL));
+     cJSON_Minify(NULL);
+     /* skipped because it is only used via a macro that checks for NULL */
+     /* cJSON_SetNumberHelper(NULL, 0); */
+-- 
+2.27.0
+

Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch

@@ -0,0 +1,25 @@
+From 73d8cbbaf1c8b5ceb5a46a8e7d9a24aa3edaf0a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E8=82=96=E5=9C=A8?= <xiaozai@kylinos.cn>
+Date: Tue, 7 May 2024 11:40:54 +0800
+Subject: [PATCH] Fix a null pointer crash in cJSON_ReplaceItemViaPointer
+
+---
+ cJSON.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cJSON.c b/cJSON.c
+index 349ebbd..a1073ed 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -2304,7 +2304,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
+ 
+ CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement)
+ {
+-    if ((parent == NULL) || (replacement == NULL) || (item == NULL))
++    if ((parent == NULL) || (parent->child == NULL) || (replacement == NULL) || (item == NULL))
+     {
+         return false;
+     }
+-- 
+2.33.0
+

backport-Add-test-for-heap-buffer-overflow.patch

@@ -0,0 +1,58 @@
+From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:46:17 +0000
+Subject: [PATCH 1/2] Add test for heap buffer overflow
+
+From #800
+---
+ tests/parse_examples.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tests/parse_examples.c b/tests/parse_examples.c
+index 95a0959..d35d6cf 100644
+--- a/tests/parse_examples.c
++++ b/tests/parse_examples.c
+@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void)
+     }
+ }
+ 
++/* Address Sanitizer */
++static void test15_should_not_heap_buffer_overflow(void)
++{
++    const char *strings[] = {
++        "{\"1\":1,",
++        "{\"1\":1, ",
++    };
++
++    size_t i;
++
++    for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
++    {
++        const char *json_string = strings[i];
++        size_t len = strlen(json_string);
++        cJSON *json = NULL;
++
++        char *exact_size_heap = (char*)malloc(len);
++        TEST_ASSERT_NOT_NULL(exact_size_heap);
++
++        memcpy(exact_size_heap, json_string, len);
++        json = cJSON_ParseWithLength(exact_size_heap, len);
++
++        cJSON_Delete(json);
++        free(exact_size_heap);
++    }
++}
++
+ int CJSON_CDECL main(void)
+ {
+     UNITY_BEGIN();
+@@ -267,5 +294,6 @@ int CJSON_CDECL main(void)
+     RUN_TEST(test12_should_not_be_parsed);
+     RUN_TEST(test13_should_be_parsed_without_null_termination);
+     RUN_TEST(test14_should_not_be_parsed);
++    RUN_TEST(test15_should_not_heap_buffer_overflow);
+     return UNITY_END();
+ }
+-- 
+2.43.0
+

backport-CVE-2023-50471_50472.patch

@@ -0,0 +1,113 @@
+From e4f98c7f5808be93886a85523bec516a6732d524 Mon Sep 17 00:00:00 2001
+From: Lee <peterlee@apache.org>
+Date: Mon, 6 Nov 2023 14:02:49 +0800
+Subject: [PATCH] add NULL checkings (#809)
+
+* add NULL checks in cJSON_SetValuestring
+
+Fixes #803(CVE-2023-50472)
+
+* add NULL check in cJSON_InsertItemInArray
+
+Fixes #802(CVE-2023-50471)
+
+* add tests for NULL checks
+
+add tests for NULL checks in cJSON_InsertItemInArray and cJSON_SetValuestring
+---
+ cJSON.c            | 14 ++++++++++++--
+ tests/misc_tests.c | 21 +++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/cJSON.c b/cJSON.c
+index 3063f74..7543078 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -401,7 +401,12 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+ {
+     char *copy = NULL;
+     /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */
+-    if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference))
++    {
++        return NULL;
++    }
++    /* return NULL if the object is corrupted */
++    if (object->valuestring == NULL)
+     {
+         return NULL;
+     }
+@@ -2260,7 +2265,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
+ {
+     cJSON *after_inserted = NULL;
+ 
+-    if (which < 0)
++    if (which < 0 || newitem == NULL)
+     {
+         return false;
+     }
+@@ -2271,6 +2276,11 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
+         return add_item_to_array(array, newitem);
+     }
+ 
++    if (after_inserted != array->child && after_inserted->prev == NULL) {
++        /* return false if after_inserted is a corrupted array item */
++        return false;
++    }
++
+     newitem->next = after_inserted;
+     newitem->prev = after_inserted->prev;
+     after_inserted->prev = newitem;
+diff --git a/tests/misc_tests.c b/tests/misc_tests.c
+index 3bf0a1c..8031c0d 100644
+--- a/tests/misc_tests.c
++++ b/tests/misc_tests.c
+@@ -353,6 +353,19 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+ {
+     char buffer[10];
+     cJSON *item = cJSON_CreateString("item");
++    cJSON *array = cJSON_CreateArray();
++    cJSON *item1 = cJSON_CreateString("item1");
++    cJSON *item2 = cJSON_CreateString("corrupted array item3");
++    cJSON *corruptedString = cJSON_CreateString("corrupted");
++    struct cJSON *originalPrev;
++
++    add_item_to_array(array, item1);
++    add_item_to_array(array, item2);
++
++    originalPrev = item2->prev;
++    item2->prev = NULL;
++    free(corruptedString->valuestring);
++    corruptedString->valuestring = NULL;
+ 
+     cJSON_InitHooks(NULL);
+     TEST_ASSERT_NULL(cJSON_Parse(NULL));
+@@ -412,6 +425,8 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+     cJSON_DeleteItemFromObject(item, NULL);
+     cJSON_DeleteItemFromObjectCaseSensitive(NULL, "item");
+     cJSON_DeleteItemFromObjectCaseSensitive(item, NULL);
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 0, NULL));
++    TEST_ASSERT_FALSE(cJSON_InsertItemInArray(array, 1, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(NULL, 0, item));
+     TEST_ASSERT_FALSE(cJSON_InsertItemInArray(item, 0, NULL));
+     TEST_ASSERT_FALSE(cJSON_ReplaceItemViaPointer(NULL, item, item));
+@@ -428,10 +443,16 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
+     TEST_ASSERT_NULL(cJSON_Duplicate(NULL, true));
+     TEST_ASSERT_FALSE(cJSON_Compare(item, NULL, false));
+     TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
++    TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+     cJSON_Minify(NULL);
+     /* skipped because it is only used via a macro that checks for NULL */
+     /* cJSON_SetNumberHelper(NULL, 0); */
+ 
++    /* restore corrupted item2 to delete it */
++    item2->prev = originalPrev;
++    cJSON_Delete(corruptedString);
++    cJSON_Delete(array);
+     cJSON_Delete(item);
+ }
+ 
+-- 
+2.33.0
+

backport-Fix-heap-buffer-overflow.patch

@@ -0,0 +1,29 @@
+From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:50:19 +0000
+Subject: [PATCH 2/2] Fix heap buffer overflow
+
+Fixes #800
+---
+ cJSON.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 4f5b38d..97564bb 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
+             current_item = new_item;
+         }
+ 
++        if (cannot_access_at_index(input_buffer, 1))
++        {
++            goto fail; /* nothing comes after the comma */
++        }
++
+         /* parse the name of the child */
+         input_buffer->offset++;
+         buffer_skip_whitespace(input_buffer);
+-- 
+2.43.0
+

backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch

@@ -0,0 +1,74 @@
+From 0489fa665b373d214523e318ee6b75292ea0e411 Mon Sep 17 00:00:00 2001
+From: maebex <maximilian.berndt11@web.de>
+Date: Sat, 30 Mar 2024 10:42:22 +0100
+Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned
+ immediately after
+
+---
+ cJSON.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 7532e84..ab4fb35 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item)
+         if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL))
+         {
+             global_hooks.deallocate(item->valuestring);
++            item->valuestring = NULL;
+         }
+         if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
+         {
+             global_hooks.deallocate(item->string);
++            item->string = NULL;
+         }
+         global_hooks.deallocate(item);
+         item = next;
+@@ -900,6 +902,7 @@ fail:
+     if (output != NULL)
+     {
+         input_buffer->hooks.deallocate(output);
++        output = NULL;
+     }
+ 
+     if (input_pointer != NULL)
+@@ -1242,6 +1245,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i
+ 
+         /* free the buffer */
+         hooks->deallocate(buffer->buffer);
++        buffer->buffer = NULL;
+     }
+ 
+     return printed;
+@@ -1250,11 +1254,13 @@ fail:
+     if (buffer->buffer != NULL)
+     {
+         hooks->deallocate(buffer->buffer);
++        buffer->buffer = NULL;
+     }
+ 
+     if (printed != NULL)
+     {
+         hooks->deallocate(printed);
++        printed = NULL;
+     }
+ 
+     return NULL;
+@@ -1295,6 +1301,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON
+     if (!print_value(item, &p))
+     {
+         global_hooks.deallocate(p.buffer);
++        p.buffer = NULL;
+         return NULL;
+     }
+ 
+@@ -3138,4 +3145,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size)
+ CJSON_PUBLIC(void) cJSON_free(void *object)
+ {
+     global_hooks.deallocate(object);
++    object = NULL;
+ }
+-- 
+2.33.0
+

backport-fix-add-allocate-check-for-replace_item_in_object-67.patch

@@ -0,0 +1,80 @@
+From b45f48e600671feade0b6bd65d1c69de7899f2be Mon Sep 17 00:00:00 2001
+From: Junbo Zheng <3273070@qq.com>
+Date: Tue, 29 Mar 2022 15:02:59 +0800
+Subject: [PATCH] fix: add allocate check for replace_item_in_object (#675)
+
+Signed-off-by: Junbo Zheng <zhengjunbo1@xiaomi.com>
+---
+ cJSON.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/cJSON.c b/cJSON.c
+index c78aac6..524ba46 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -96,9 +96,9 @@ CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void)
+     return (const char*) (global_error.json + global_error.position);
+ }
+ 
+-CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) 
++CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
+ {
+-    if (!cJSON_IsString(item)) 
++    if (!cJSON_IsString(item))
+     {
+         return NULL;
+     }
+@@ -106,9 +106,9 @@ CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
+     return item->valuestring;
+ }
+ 
+-CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) 
++CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item)
+ {
+-    if (!cJSON_IsNumber(item)) 
++    if (!cJSON_IsNumber(item))
+     {
+         return (double) NAN;
+     }
+@@ -511,7 +511,7 @@ static unsigned char* ensure(printbuffer * const p, size_t needed)
+ 
+             return NULL;
+         }
+-        
++
+         memcpy(newbuffer, p->buffer, p->offset + 1);
+         p->hooks.deallocate(p->buffer);
+     }
+@@ -1107,7 +1107,7 @@ CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer
+     }
+ 
+     buffer.content = (const unsigned char*)value;
+-    buffer.length = buffer_length; 
++    buffer.length = buffer_length;
+     buffer.offset = 0;
+     buffer.hooks = global_hooks;
+ 
+@@ -2361,6 +2361,11 @@ static cJSON_bool replace_item_in_object(cJSON *object, const char *string, cJSO
+         cJSON_free(replacement->string);
+     }
+     replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks);
++    if (replacement->string == NULL)
++    {
++        return false;
++    }
++
+     replacement->type &= ~cJSON_StringIsConst;
+ 
+     return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement);
+@@ -2693,7 +2698,7 @@ CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int co
+     if (a && a->child) {
+         a->child->prev = n;
+     }
+-    
++
+     return a;
+ }
+ 
+-- 
+2.9.3.windows.1
+

backport-fix-potential-memory-leak-in-merge_patch.patch

@@ -0,0 +1,12 @@
+diff --git a/cJSON_Utils.c b/cJSON_Utils.c
+index c7c6439..63651df 100644
+--- a/cJSON_Utils.c
++++ b/cJSON_Utils.c
+@@ -1367,6 +1367,7 @@ static cJSON *merge_patch(cJSON *target, const cJSON * const patch, const cJSON_
+             replacement = merge_patch(replace_me, patch_child, case_sensitive);
+             if (replacement == NULL)
+             {
++                cJSON_Delete(target);
+                 return NULL;
+             }
+ 

backport-fix-print-int-without-decimal-places-630.patch

@@ -0,0 +1,26 @@
+From d321fa9e6e574ff93518f6384865b9af0a4a4afc Mon Sep 17 00:00:00 2001
+From: AlexanderVasiljev <48011002+AlexanderVasiljev@users.noreply.github.com>
+Date: Wed, 19 Jan 2022 05:30:31 +0300
+Subject: [PATCH] fix: print int without decimal places (#630)
+
+---
+ cJSON.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 3063f74..c78aac6 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -562,6 +562,10 @@ static cJSON_bool print_number(const cJSON * const item, printbuffer * const out
+     {
+         length = sprintf((char*)number_buffer, "null");
+     }
++	else if(d == (double)item->valueint)
++	{
++		length = sprintf((char*)number_buffer, "%d", item->valueint);
++	}
+     else
+     {
+         /* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */
+-- 
+

cjson.spec

@@ -0,0 +1,76 @@
+Name:           cjson
+Version:        1.7.15
+Release:        5
+Summary:        Ultralightweight JSON parser in ANSI C
+ 
+License:        MIT and ASL 2.0
+URL:            https://github.com/DaveGamble/cJSON
+Source0:        https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.tar.gz
+ 
+Patch0001:	backport-CVE-2023-50471_50472.patch
+Patch0002:	backport-fix-potential-memory-leak-in-merge_patch.patch
+Patch0003:	CVE-2024-31755.patch
+Patch0004:	Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch
+Patch0005:	backport-fix-add-allocate-check-for-replace_item_in_object-67.patch
+Patch0006:	backport-fix-print-int-without-decimal-places-630.patch
+Patch0007:	backport-Add-test-for-heap-buffer-overflow.patch
+Patch0008:	backport-Fix-heap-buffer-overflow.patch
+Patch0009:	backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch
+
+BuildRequires:  gcc
+BuildRequires:  cmake
+
+%description
+cJSON aims to be the dumbest possible parser that you can get your job
+done with. It's a single file of C, and a single header file.
+ 
+%package devel
+Summary:        Development files for cJSON
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       pkgconfig
+  
+%description devel
+The cjson-devel package contains libraries and header files for
+developing applications that use cJSON.
+  
+%prep
+%autosetup -n cJSON-%{version} -p1
+
+%build
+%cmake
+%make_build
+
+%install
+%make_install
+rm -f %{buildroot}%{_libdir}/*.{la,a}
+rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
+
+%post -p /sbin/ldconfig
+%postun -p /sbin/ldconfig 
+
+%files
+%license LICENSE
+%doc README.md
+%{_libdir}/libcjson*.so.*
+ 
+%files devel
+%doc CHANGELOG.md CONTRIBUTORS.md
+%{_libdir}/libcjson.so
+%{_libdir}/pkgconfig/libcjson.pc
+%{_includedir}/cjson/
+
+%changelog
+* Tue Jun 18 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.7.15-5
+- sync patches from 24.03 branches
+
+* Fri Apr 26 2024 lvfei <lvfei@kylinos.cn> - 1.7.15-4
+- fix CVE-2024-31755
+
+* Tue Mar 05 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-3
+- fix potential memory leak in merge_patch()
+
+* Sun Dec 24 2023 liningjie <liningjie@xfusion.com> - 1.7.15-2
+- Fix CVE-2023-50471 CVE-2023-50472
+
+* Thu Sep 23 2021 jiangxinyu <jiangxinyu@kylinos.cn> - 1.7.15-1
+- Package Init

cjson.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: DaveGamble/cJSON
+tag_prefix: ""
+separator: "."