packages/rapidjson
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2024-38517

Browse Source
This commit is contained in:
zhangxianting 2024-07-04 17:43:37 +08:00
parent 9066f99d01
commit b7ef121235
2 changed files with 64 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
backport-CVE-2024-38517.patch Normal file
View File

@ -0,0 +1,59 @@
From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001
From: Florin Malita <fmalita@gmail.com>
Date: Tue, 15 May 2018 22:48:07 -0400
Subject: [PATCH] Prevent int underflow when parsing exponents
When parsing negative exponents, the current implementation takes
precautions for |exp| to not underflow int.
But that is not sufficient: later on [1], |exp + expFrac| is also
stored to an int - so we must ensure that the sum stays within int
representable values.
Update the exp clamping logic to take expFrac into account.
[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690
---
include/rapidjson/reader.h | 11 ++++++++++-
test/unittest/readertest.cpp | 1 +
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h
index 7441eda4..f95aef42 100644
--- a/include/rapidjson/reader.h
+++ b/include/rapidjson/reader.h
@@ -1632,9 +1632,18 @@ private:
if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
exp = static_cast<int>(s.Take() - '0');
if (expMinus) {
+ // (exp + expFrac) must not underflow int => we're detecting when -exp gets
+ // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into
+ // underflow territory):
+ //
+ // -(exp * 10 + 9) + expFrac >= INT_MIN
+ // <=> exp <= (expFrac - INT_MIN - 9) / 10
+ RAPIDJSON_ASSERT(expFrac <= 0);
+ int maxExp = (expFrac + 2147483639) / 10;
+
while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
exp = exp * 10 + static_cast<int>(s.Take() - '0');
- if (exp >= 214748364) { // Issue #313: prevent overflow exponent
+ if (RAPIDJSON_UNLIKELY(exp > maxExp)) {
while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9')) // Consume the rest of exponent
s.Take();
}
diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp
index e5308019..c4800b93 100644
--- a/test/unittest/readertest.cpp
+++ b/test/unittest/readertest.cpp
@@ -242,6 +242,7 @@ static void TestParseDouble() {
TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0); // Maximum supported negative exponent
TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0);
TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0);
+ TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0);
TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form
// Since
--
2.20.1

6
rapidjson.spec
View File

@ -1,12 +1,13 @@
%global debug_package %{nil}
Name: rapidjson
Version: 1.1.0
Release: 12
Release: 13
Summary: small & selft-contained fast JSON parser and generator for C++
License: MIT
URL: http://miloyip.github.io/rapidjson
Source0: https://github.com/miloyip/rapidjson/archive/v%{version}.tar.gz#/rapidjson-%{version}.tar.gz
Patch0000: rapidjson-1.1.0-do_not_include_gtest_src_dir.patch
Patch0001: backport-CVE-2024-38517.patch
BuildRequires: cmake gcc-c++ gtest-devel
%ifarch "%{valgrind_arches}"
BuildRequires: valgrind
@ -91,6 +92,9 @@ cd -
%doc %{_pkgdocdir}
%changelog
* Thu Jul 11 2024 zhangxianting <zhangxianting@uniontech.com> - 1.1.0-13
- Fix CVE-2024-38517
* Mon Apr 29 2024 yinsist <jianhui.oerv@isrc.iscas.ac.cn> - 1.1.0-12
- Valgrind does not support certain architectures like RISC-V, Before depending on Valgrind, first check if Valgrind supports the architecture