!33 Fix heap buffer overflow

From: @XIE-JING-2022 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-Add-test-for-heap-buffer-overflow.patch

@@ -0,0 +1,58 @@
+From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:46:17 +0000
+Subject: [PATCH 1/2] Add test for heap buffer overflow
+
+From #800
+---
+ tests/parse_examples.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tests/parse_examples.c b/tests/parse_examples.c
+index 95a0959..d35d6cf 100644
+--- a/tests/parse_examples.c
++++ b/tests/parse_examples.c
+@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void)
+     }
+ }
+ 
++/* Address Sanitizer */
++static void test15_should_not_heap_buffer_overflow(void)
++{
++    const char *strings[] = {
++        "{\"1\":1,",
++        "{\"1\":1, ",
++    };
++
++    size_t i;
++
++    for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
++    {
++        const char *json_string = strings[i];
++        size_t len = strlen(json_string);
++        cJSON *json = NULL;
++
++        char *exact_size_heap = (char*)malloc(len);
++        TEST_ASSERT_NOT_NULL(exact_size_heap);
++
++        memcpy(exact_size_heap, json_string, len);
++        json = cJSON_ParseWithLength(exact_size_heap, len);
++
++        cJSON_Delete(json);
++        free(exact_size_heap);
++    }
++}
++
+ int CJSON_CDECL main(void)
+ {
+     UNITY_BEGIN();
+@@ -267,5 +294,6 @@ int CJSON_CDECL main(void)
+     RUN_TEST(test12_should_not_be_parsed);
+     RUN_TEST(test13_should_be_parsed_without_null_termination);
+     RUN_TEST(test14_should_not_be_parsed);
++    RUN_TEST(test15_should_not_heap_buffer_overflow);
+     return UNITY_END();
+ }
+-- 
+2.43.0
+

backport-Fix-heap-buffer-overflow.patch

@@ -0,0 +1,29 @@
+From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:50:19 +0000
+Subject: [PATCH 2/2] Fix heap buffer overflow
+
+Fixes #800
+---
+ cJSON.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 4f5b38d..97564bb 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
+             current_item = new_item;
+         }
+ 
++        if (cannot_access_at_index(input_buffer, 1))
++        {
++            goto fail; /* nothing comes after the comma */
++        }
++
+         /* parse the name of the child */
+         input_buffer->offset++;
+         buffer_skip_whitespace(input_buffer);
+-- 
+2.43.0
+

cjson.spec

@@ -1,6 +1,6 @@
 Name:           cjson
 Version:        1.7.15
-Release:        7
+Release:        8
 Summary:        Ultralightweight JSON parser in ANSI C
  
 License:        MIT and ASL 2.0
@@ -13,6 +13,8 @@ Patch0003:	CVE-2024-31755.patch
 Patch0004:  Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch
 Patch0005:  backport-fix-add-allocate-check-for-replace_item_in_object-67.patch
 Patch0006:  backport-fix-print-int-without-decimal-places-630.patch
+Patch0007:  backport-Add-test-for-heap-buffer-overflow.patch
+Patch0008:  backport-Fix-heap-buffer-overflow.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake
@@ -59,6 +61,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
 %{_includedir}/cjson/
 
 %changelog
+* Wed May 22 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-8
+- Fix heap buffer overflow
+
 * Fri May 10 2024 wuzhaomin <wuzhaomin@kylinos.cn> - 1.7.15-7
 - Fix print int without decimal places