!36 Backport Set free'd pointers to NULL whenever they are not reassigned

From: @mmzzmm 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch

@@ -0,0 +1,25 @@
+From 73d8cbbaf1c8b5ceb5a46a8e7d9a24aa3edaf0a3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=E8=82=96=E5=9C=A8?= <xiaozai@kylinos.cn>
+Date: Tue, 7 May 2024 11:40:54 +0800
+Subject: [PATCH] Fix a null pointer crash in cJSON_ReplaceItemViaPointer
+
+---
+ cJSON.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/cJSON.c b/cJSON.c
+index 349ebbd..a1073ed 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -2304,7 +2304,7 @@ CJSON_PUBLIC(cJSON_bool) cJSON_InsertItemInArray(cJSON *array, int which, cJSON
+ 
+ CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement)
+ {
+-    if ((parent == NULL) || (replacement == NULL) || (item == NULL))
++    if ((parent == NULL) || (parent->child == NULL) || (replacement == NULL) || (item == NULL))
+     {
+         return false;
+     }
+-- 
+2.33.0
+

backport-Add-test-for-heap-buffer-overflow.patch

@@ -0,0 +1,58 @@
+From 826cd6f842ae7e46ee38bbc097f9a34f2947388d Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:46:17 +0000
+Subject: [PATCH 1/2] Add test for heap buffer overflow
+
+From #800
+---
+ tests/parse_examples.c | 28 ++++++++++++++++++++++++++++
+ 1 file changed, 28 insertions(+)
+
+diff --git a/tests/parse_examples.c b/tests/parse_examples.c
+index 95a0959..d35d6cf 100644
+--- a/tests/parse_examples.c
++++ b/tests/parse_examples.c
+@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void)
+     }
+ }
+ 
++/* Address Sanitizer */
++static void test15_should_not_heap_buffer_overflow(void)
++{
++    const char *strings[] = {
++        "{\"1\":1,",
++        "{\"1\":1, ",
++    };
++
++    size_t i;
++
++    for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
++    {
++        const char *json_string = strings[i];
++        size_t len = strlen(json_string);
++        cJSON *json = NULL;
++
++        char *exact_size_heap = (char*)malloc(len);
++        TEST_ASSERT_NOT_NULL(exact_size_heap);
++
++        memcpy(exact_size_heap, json_string, len);
++        json = cJSON_ParseWithLength(exact_size_heap, len);
++
++        cJSON_Delete(json);
++        free(exact_size_heap);
++    }
++}
++
+ int CJSON_CDECL main(void)
+ {
+     UNITY_BEGIN();
+@@ -267,5 +294,6 @@ int CJSON_CDECL main(void)
+     RUN_TEST(test12_should_not_be_parsed);
+     RUN_TEST(test13_should_be_parsed_without_null_termination);
+     RUN_TEST(test14_should_not_be_parsed);
++    RUN_TEST(test15_should_not_heap_buffer_overflow);
+     return UNITY_END();
+ }
+-- 
+2.43.0
+

backport-Fix-heap-buffer-overflow.patch

@@ -0,0 +1,29 @@
+From 3ef4e4e730e5efd381be612df41e1ff3f5bb3c32 Mon Sep 17 00:00:00 2001
+From: orri <orri@systemb.is>
+Date: Tue, 30 Apr 2024 09:50:19 +0000
+Subject: [PATCH 2/2] Fix heap buffer overflow
+
+Fixes #800
+---
+ cJSON.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 4f5b38d..97564bb 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -1660,6 +1660,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
+             current_item = new_item;
+         }
+ 
++        if (cannot_access_at_index(input_buffer, 1))
++        {
++            goto fail; /* nothing comes after the comma */
++        }
++
+         /* parse the name of the child */
+         input_buffer->offset++;
+         buffer_skip_whitespace(input_buffer);
+-- 
+2.43.0
+

backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch

@@ -0,0 +1,74 @@
+From 0489fa665b373d214523e318ee6b75292ea0e411 Mon Sep 17 00:00:00 2001
+From: maebex <maximilian.berndt11@web.de>
+Date: Sat, 30 Mar 2024 10:42:22 +0100
+Subject: [PATCH] Set free'd pointers to NULL whenever they are not reassigned
+ immediately after
+
+---
+ cJSON.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 7532e84..ab4fb35 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item)
+         if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL))
+         {
+             global_hooks.deallocate(item->valuestring);
++            item->valuestring = NULL;
+         }
+         if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
+         {
+             global_hooks.deallocate(item->string);
++            item->string = NULL;
+         }
+         global_hooks.deallocate(item);
+         item = next;
+@@ -900,6 +902,7 @@ fail:
+     if (output != NULL)
+     {
+         input_buffer->hooks.deallocate(output);
++        output = NULL;
+     }
+ 
+     if (input_pointer != NULL)
+@@ -1242,6 +1245,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i
+ 
+         /* free the buffer */
+         hooks->deallocate(buffer->buffer);
++        buffer->buffer = NULL;
+     }
+ 
+     return printed;
+@@ -1250,11 +1254,13 @@ fail:
+     if (buffer->buffer != NULL)
+     {
+         hooks->deallocate(buffer->buffer);
++        buffer->buffer = NULL;
+     }
+ 
+     if (printed != NULL)
+     {
+         hooks->deallocate(printed);
++        printed = NULL;
+     }
+ 
+     return NULL;
+@@ -1295,6 +1301,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON
+     if (!print_value(item, &p))
+     {
+         global_hooks.deallocate(p.buffer);
++        p.buffer = NULL;
+         return NULL;
+     }
+ 
+@@ -3138,4 +3145,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size)
+ CJSON_PUBLIC(void) cJSON_free(void *object)
+ {
+     global_hooks.deallocate(object);
++    object = NULL;
+ }
+-- 
+2.33.0
+

backport-fix-add-allocate-check-for-replace_item_in_object-67.patch

@@ -0,0 +1,80 @@
+From b45f48e600671feade0b6bd65d1c69de7899f2be Mon Sep 17 00:00:00 2001
+From: Junbo Zheng <3273070@qq.com>
+Date: Tue, 29 Mar 2022 15:02:59 +0800
+Subject: [PATCH] fix: add allocate check for replace_item_in_object (#675)
+
+Signed-off-by: Junbo Zheng <zhengjunbo1@xiaomi.com>
+---
+ cJSON.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/cJSON.c b/cJSON.c
+index c78aac6..524ba46 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -96,9 +96,9 @@ CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void)
+     return (const char*) (global_error.json + global_error.position);
+ }
+ 
+-CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) 
++CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
+ {
+-    if (!cJSON_IsString(item)) 
++    if (!cJSON_IsString(item))
+     {
+         return NULL;
+     }
+@@ -106,9 +106,9 @@ CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item)
+     return item->valuestring;
+ }
+ 
+-CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) 
++CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item)
+ {
+-    if (!cJSON_IsNumber(item)) 
++    if (!cJSON_IsNumber(item))
+     {
+         return (double) NAN;
+     }
+@@ -511,7 +511,7 @@ static unsigned char* ensure(printbuffer * const p, size_t needed)
+ 
+             return NULL;
+         }
+-        
++
+         memcpy(newbuffer, p->buffer, p->offset + 1);
+         p->hooks.deallocate(p->buffer);
+     }
+@@ -1107,7 +1107,7 @@ CJSON_PUBLIC(cJSON *) cJSON_ParseWithLengthOpts(const char *value, size_t buffer
+     }
+ 
+     buffer.content = (const unsigned char*)value;
+-    buffer.length = buffer_length; 
++    buffer.length = buffer_length;
+     buffer.offset = 0;
+     buffer.hooks = global_hooks;
+ 
+@@ -2361,6 +2361,11 @@ static cJSON_bool replace_item_in_object(cJSON *object, const char *string, cJSO
+         cJSON_free(replacement->string);
+     }
+     replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks);
++    if (replacement->string == NULL)
++    {
++        return false;
++    }
++
+     replacement->type &= ~cJSON_StringIsConst;
+ 
+     return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement);
+@@ -2693,7 +2698,7 @@ CJSON_PUBLIC(cJSON *) cJSON_CreateStringArray(const char *const *strings, int co
+     if (a && a->child) {
+         a->child->prev = n;
+     }
+-    
++
+     return a;
+ }
+ 
+-- 
+2.9.3.windows.1
+

backport-fix-print-int-without-decimal-places-630.patch

@@ -0,0 +1,26 @@
+From d321fa9e6e574ff93518f6384865b9af0a4a4afc Mon Sep 17 00:00:00 2001
+From: AlexanderVasiljev <48011002+AlexanderVasiljev@users.noreply.github.com>
+Date: Wed, 19 Jan 2022 05:30:31 +0300
+Subject: [PATCH] fix: print int without decimal places (#630)
+
+---
+ cJSON.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/cJSON.c b/cJSON.c
+index 3063f74..c78aac6 100644
+--- a/cJSON.c
++++ b/cJSON.c
+@@ -562,6 +562,10 @@ static cJSON_bool print_number(const cJSON * const item, printbuffer * const out
+     {
+         length = sprintf((char*)number_buffer, "null");
+     }
++	else if(d == (double)item->valueint)
++	{
++		length = sprintf((char*)number_buffer, "%d", item->valueint);
++	}
+     else
+     {
+         /* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */
+-- 
+

cjson.spec

@@ -1,6 +1,6 @@
 Name:           cjson
 Version:        1.7.15
-Release:        4
+Release:        9
 Summary:        Ultralightweight JSON parser in ANSI C
  
 License:        MIT and ASL 2.0
@@ -10,10 +10,18 @@ Source0:        https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.ta
 Patch0001:	backport-CVE-2023-50471_50472.patch
 Patch0002:	backport-fix-potential-memory-leak-in-merge_patch.patch
 Patch0003:	CVE-2024-31755.patch
+Patch0004:  Fix-a-null-pointer-crash-in-cJSON_ReplaceItemViaPoin.patch
+Patch0005:  backport-fix-add-allocate-check-for-replace_item_in_object-67.patch
+Patch0006:  backport-fix-print-int-without-decimal-places-630.patch
+Patch0007:  backport-Add-test-for-heap-buffer-overflow.patch
+Patch0008:  backport-Fix-heap-buffer-overflow.patch
+Patch0009:  backport-Set-free-d-pointers-to-NULL-whenever-they-are-not-re.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake
 
+
+
 %description
 cJSON aims to be the dumbest possible parser that you can get your job
 done with. It's a single file of C, and a single header file.
@@ -54,6 +62,21 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
 %{_includedir}/cjson/
 
 %changelog
+* Wed May 29 2024 Zhao Mengmeng <zhaomengmeng@kylinos.cn> - 1.7.15-9
+- Set free'd pointers to NULL to avoid double free
+
+* Wed May 22 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-8
+- Fix heap buffer overflow
+
+* Fri May 10 2024 wuzhaomin <wuzhaomin@kylinos.cn> - 1.7.15-7
+- Fix print int without decimal places
+
+* Wed May 8 2024 wuzhaomin <wuzhaomin@kylinos.cn> - 1.7.15-6
+- add allocate check for replace_item_in_object
+
+* Tue May 07 2024 xiaozai <xiaozai@kylinos.cn> - 1.7.15-5
+- Fix a null pointer crash in cJSON_ReplaceItemViaPointer
+
 * Fri Apr 26 2024 lvfei <lvfei@kylinos.cn> - 1.7.15-4
 - fix CVE-2024-31755