json-lib/0001-fix-Handle-unbalanced-comment-string.patch

From a0c4a0eae277130e22979cf307c95dec4005a78e Mon Sep 17 00:00:00 2001
From: Andres Almiray <aalmiray@gmail.com>
Date: Thu, 26 Sep 2024 17:47:11 -0500
Subject: [PATCH] fix: Handle unbalanced comment string

---
 .../src/main/java/net/sf/json/util/JSONTokener.java   |  2 ++
 .../src/test/java/net/sf/json/TestJSONSerializer.java |  9 +++++++++
 src/main/java/net/sf/json/util/JSONTokener.java       |  2 ++
 src/test/java/net/sf/json/TestJSONSerializer.java     |  9 +++++++++
 4 files changed, 22 insertions(+)

diff --git a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
index 655cd7c..aad6f3b 100644
--- a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
+++ b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java
@@ -192,6 +192,8 @@ public class JSONTokener {
                             if (c == '*') {
                                 if (next() == '/') {
                                     break;
+                                } else if (!more()) {
+                                    return 0;
                                 }
                                 back();
                             }
diff --git a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
index 6a15863..d0c9ff4 100644
--- a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
+++ b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java
@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {
         assertEquals(beanB.getValue(), ((ValueBean) bb).getValue());
     }
 
+    public void testToJava_JSONObject_5() throws Exception {
+        try {
+            JSONObject.fromObject("/**");
+            fail("Should have thrown a JSONException");
+        } catch (JSONException expected) {
+            // ok
+        }
+    }
+
     public void testToJava_JSONObject_and_reset() throws Exception {
         String json = "{bool:true,integer:1,string:\"json\"}";
         JSONObject jsonObject = JSONObject.fromObject(json);
diff --git a/src/main/java/net/sf/json/util/JSONTokener.java b/src/main/java/net/sf/json/util/JSONTokener.java
index 4f6ff94..0cdde2b 100644
--- a/src/main/java/net/sf/json/util/JSONTokener.java
+++ b/src/main/java/net/sf/json/util/JSONTokener.java
@@ -196,6 +196,8 @@ public class JSONTokener {
                      if( c == '*' ){
                         if( next() == '/' ){
                            break;
+                        } else if (!more()){
+                            return 0;
                         }
                         back();
                      }
diff --git a/src/test/java/net/sf/json/TestJSONSerializer.java b/src/test/java/net/sf/json/TestJSONSerializer.java
index 7397769..89c145d 100644
--- a/src/test/java/net/sf/json/TestJSONSerializer.java
+++ b/src/test/java/net/sf/json/TestJSONSerializer.java
@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {
       assertEquals( beanB.getValue(), ((ValueBean) bb).getValue() );
    }
 
+   public void testToJava_JSONObject_5() throws Exception {
+       try {
+           JSONObject.fromObject("/**");
+           fail("Should have thrown a JSONException");
+       } catch (JSONException expected) {
+           // ok
+       }
+   }
+
    public void testToJava_JSONObject_and_reset() throws Exception {
       String json = "{bool:true,integer:1,string:\"json\"}";
       JSONObject jsonObject = JSONObject.fromObject( json );
-- 
2.43.0
fix: Handle unbalanced comment string for CVE-2024-47855 (cherry picked from commit c91893096b399ea51baa610a91ff208695679f98) 2024-10-07 14:03:37 +08:00			`From a0c4a0eae277130e22979cf307c95dec4005a78e Mon Sep 17 00:00:00 2001`
			`From: Andres Almiray <aalmiray@gmail.com>`
			`Date: Thu, 26 Sep 2024 17:47:11 -0500`
			`Subject: [PATCH] fix: Handle unbalanced comment string`

			`---`
			`.../src/main/java/net/sf/json/util/JSONTokener.java \| 2 ++`
			`.../src/test/java/net/sf/json/TestJSONSerializer.java \| 9 +++++++++`
			`src/main/java/net/sf/json/util/JSONTokener.java \| 2 ++`
			`src/test/java/net/sf/json/TestJSONSerializer.java \| 9 +++++++++`
			`4 files changed, 22 insertions(+)`

			`diff --git a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java`
			`index 655cd7c..aad6f3b 100644`
			`--- a/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java`
			`+++ b/jenkins-json-lib-2.4/src/main/java/net/sf/json/util/JSONTokener.java`
			`@@ -192,6 +192,8 @@ public class JSONTokener {`
			`if (c == '*') {`
			`if (next() == '/') {`
			`break;`
			`+ } else if (!more()) {`
			`+ return 0;`
			`}`
			`back();`
			`}`
			`diff --git a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java`
			`index 6a15863..d0c9ff4 100644`
			`--- a/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java`
			`+++ b/jenkins-json-lib-2.4/src/test/java/net/sf/json/TestJSONSerializer.java`
			`@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {`
			`assertEquals(beanB.getValue(), ((ValueBean) bb).getValue());`
			`}`

			`+ public void testToJava_JSONObject_5() throws Exception {`
			`+ try {`
			`+ JSONObject.fromObject("/**");`
			`+ fail("Should have thrown a JSONException");`
			`+ } catch (JSONException expected) {`
			`+ // ok`
			`+ }`
			`+ }`
			`+`
			`public void testToJava_JSONObject_and_reset() throws Exception {`
			`String json = "{bool:true,integer:1,string:\"json\"}";`
			`JSONObject jsonObject = JSONObject.fromObject(json);`
			`diff --git a/src/main/java/net/sf/json/util/JSONTokener.java b/src/main/java/net/sf/json/util/JSONTokener.java`
			`index 4f6ff94..0cdde2b 100644`
			`--- a/src/main/java/net/sf/json/util/JSONTokener.java`
			`+++ b/src/main/java/net/sf/json/util/JSONTokener.java`
			`@@ -196,6 +196,8 @@ public class JSONTokener {`
			`if( c == '*' ){`
			`if( next() == '/' ){`
			`break;`
			`+ } else if (!more()){`
			`+ return 0;`
			`}`
			`back();`
			`}`
			`diff --git a/src/test/java/net/sf/json/TestJSONSerializer.java b/src/test/java/net/sf/json/TestJSONSerializer.java`
			`index 7397769..89c145d 100644`
			`--- a/src/test/java/net/sf/json/TestJSONSerializer.java`
			`+++ b/src/test/java/net/sf/json/TestJSONSerializer.java`
			`@@ -139,6 +139,15 @@ public class TestJSONSerializer extends TestCase {`
			`assertEquals( beanB.getValue(), ((ValueBean) bb).getValue() );`
			`}`

			`+ public void testToJava_JSONObject_5() throws Exception {`
			`+ try {`
			`+ JSONObject.fromObject("/**");`
			`+ fail("Should have thrown a JSONException");`
			`+ } catch (JSONException expected) {`
			`+ // ok`
			`+ }`
			`+ }`
			`+`
			`public void testToJava_JSONObject_and_reset() throws Exception {`
			`String json = "{bool:true,integer:1,string:\"json\"}";`
			`JSONObject jsonObject = JSONObject.fromObject( json );`
			`--`
			`2.43.0`