Fix heap buffer overflow

2024-05-22 16:41:48 +08:00 · 2024-05-22 16:41:48 +08:00 · 7358065591
commit 7358065591
parent bb22389dde
3 changed files with 93 additions and 1 deletions
--- a/backport-Add-test-for-heap-buffer-overflow.patch
+++ b/backport-Add-test-for-heap-buffer-overflow.patch
@ -0,0 +1,58 @@
+From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:46:17 +0000
+Subject: [PATCH 1/2] Add test for heap buffer overflow
+
+From #800
+---
+ tests/parse_examples.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tests/parse_examples.c b/tests/parse_examples.c
+index 95a0959..d35d6cf 100644
+--- a/tests/parse_examples.c
+++ b/tests/parse_examples.c
+@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void)
+     }
+ }
+ 
+/* Address Sanitizer */
+static void test15_should_not_heap_buffer_overflow(void)
+{
+    const char *strings[] = {
+        "{\"1\":1,",
+        "{\"1\":1, ",
+    };
+
+    size_t i;
+
+    for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
+    {
+        const char *json_string = strings[i];
+        size_t len = strlen(json_string);
+        cJSON *json = NULL;
+
+        char *exact_size_heap = (char*)malloc(len);
+        TEST_ASSERT_NOT_NULL(exact_size_heap);
+
+        memcpy(exact_size_heap, json_string, len);
+        json = cJSON_ParseWithLength(exact_size_heap, len);
+
+        cJSON_Delete(json);
+        free(exact_size_heap);
+    }
+}
+
+ int CJSON_CDECL main(void)
+ {
+     UNITY_BEGIN();
+@@ -267,5 +294,6 @@ int CJSON_CDECL main(void)
+     RUN_TEST(test12_should_not_be_parsed);
+     RUN_TEST(test13_should_be_parsed_without_null_termination);
+     RUN_TEST(test14_should_not_be_parsed);
+    RUN_TEST(test15_should_not_heap_buffer_overflow);
+     return UNITY_END();
+ }
+-- 
+2.43.0
+
--- a/backport-Fix-heap-buffer-overflow.patch
+++ b/backport-Fix-heap-buffer-overflow.patch
@ -0,0 +1,29 @@
+From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:50:19 +0000
+Subject: [PATCH 2/2] Fix heap buffer overflow
+
+Fixes #800
+---
+ cJSON.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 4f5b38d..97564bb 100644
+--- a/cJSON.c
+++ b/cJSON.c
+@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
+             current_item = new_item;
+         }
+ 
+        if (cannot_access_at_index(input_buffer, 1))
+        {
+            goto fail; /* nothing comes after the comma */
+        }
+
+         /* parse the name of the child */
+         input_buffer->offset++;
+         buffer_skip_whitespace(input_buffer);
+-- 
+2.43.0
+
--- a/cjson.spec
+++ b/cjson.spec
@ -1,6 +1,6 @@
 Name:           cjson
 Version:        1.7.15
-Release:        7
+Release:        8
 Summary:        Ultralightweight JSON parser in ANSI C
 
 License:        MIT and ASL 2.0
@ -13,6 +13,8 @@ Patch0003:	CVE-2024-31755.patch
 Patch0004:  Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch
 Patch0005:  backport-fix-add-allocate-check-for-replace_item_in_object-67.patch
 Patch0006:  backport-fix-print-int-without-decimal-places-630.patch
+Patch0007:  backport-Add-test-for-heap-buffer-overflow.patch
+Patch0008:  backport-Fix-heap-buffer-overflow.patch

 BuildRequires:  gcc
 BuildRequires:  cmake
@ -59,6 +61,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
 %{_includedir}/cjson/

 %changelog
+* Wed May 22 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-8
+- Fix heap buffer overflow
+
 * Fri May 10 2024 wuzhaomin <wuzhaomin@kylinos.cn> - 1.7.15-7
 - Fix print int without decimal places