de2287f574
Sync these patches from 24.03 branch: - Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch - backport-Add-test-for-heap-buffer-overflow.patch - backport-Fix-heap-buffer-overflow.patch - backport-fix-add-allocate-check-for-replace_item_in_object-67.patch - backport-fix-print-int-without-decimal-places-630.patch - backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
30 lines
770 B
Diff
30 lines
770 B
Diff
From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001
|
|
From: orri <orri@systemb.is>
|
|
Date: Tue, 30 Apr 2024 09:50:19 +0000
|
|
Subject: [PATCH 2/2] Fix heap buffer overflow
|
|
|
|
Fixes #800
|
|
---
|
|
cJSON.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/cJSON.c b/cJSON.c
|
|
index 4f5b38d..97564bb 100644
|
|
--- a/cJSON.c
|
|
+++ b/cJSON.c
|
|
@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
|
|
current_item = new_item;
|
|
}
|
|
|
|
+ if (cannot_access_at_index(input_buffer, 1))
|
|
+ {
|
|
+ goto fail; /* nothing comes after the comma */
|
|
+ }
|
|
+
|
|
/* parse the name of the child */
|
|
input_buffer->offset++;
|
|
buffer_skip_whitespace(input_buffer);
|
|
--
|
|
2.43.0
|
|
|