Fix CVE-2024-38517

backport-CVE-2024-38517.patch

@@ -0,0 +1,59 @@
+From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001
+From: Florin Malita <fmalita@gmail.com>
+Date: Tue, 15 May 2018 22:48:07 -0400
+Subject: [PATCH] Prevent int underflow when parsing exponents
+
+When parsing negative exponents, the current implementation takes
+precautions for |exp| to not underflow int.
+
+But that is not sufficient: later on [1], |exp + expFrac| is also
+stored to an int - so we must ensure that the sum stays within int
+representable values.
+
+Update the exp clamping logic to take expFrac into account.
+
+[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690
+---
+ include/rapidjson/reader.h   | 11 ++++++++++-
+ test/unittest/readertest.cpp |  1 +
+ 2 files changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h
+index 7441eda4..f95aef42 100644
+--- a/include/rapidjson/reader.h
++++ b/include/rapidjson/reader.h
+@@ -1632,9 +1632,18 @@ private:
+             if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
+                 exp = static_cast<int>(s.Take() - '0');
+                 if (expMinus) {
++                    // (exp + expFrac) must not underflow int => we're detecting when -exp gets
++                    // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into
++                    // underflow territory):
++                    //
++                    //        -(exp * 10 + 9) + expFrac >= INT_MIN
++                    //   <=>  exp <= (expFrac - INT_MIN - 9) / 10
++                    RAPIDJSON_ASSERT(expFrac <= 0);
++                    int maxExp = (expFrac + 2147483639) / 10;
++
+                     while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
+                         exp = exp * 10 + static_cast<int>(s.Take() - '0');
+-                        if (exp >= 214748364) {                         // Issue #313: prevent overflow exponent
++                        if (RAPIDJSON_UNLIKELY(exp > maxExp)) {
+                             while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9'))  // Consume the rest of exponent
+                                 s.Take();
+                         }
+diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp
+index e5308019..c4800b93 100644
+--- a/test/unittest/readertest.cpp
++++ b/test/unittest/readertest.cpp
+@@ -242,6 +242,7 @@ static void TestParseDouble() {
+     TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0);                                  // Maximum supported negative exponent
+     TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0);
+     TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0);
++    TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0);
+     TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form
+ 
+     // Since
+-- 
+2.20.1
+

rapidjson.spec

@@ -1,12 +1,13 @@
 %global debug_package   %{nil}
 Name:                 rapidjson
 Version:              1.1.0
-Release:              12
+Release:              13
 Summary:              small & selft-contained fast JSON parser and generator for C++
 License:              MIT
 URL:                  http://miloyip.github.io/rapidjson
 Source0:              https://github.com/miloyip/rapidjson/archive/v%{version}.tar.gz#/rapidjson-%{version}.tar.gz
 Patch0000:            rapidjson-1.1.0-do_not_include_gtest_src_dir.patch
+Patch0001:            backport-CVE-2024-38517.patch
 BuildRequires:        cmake gcc-c++ gtest-devel 
 %ifarch "%{valgrind_arches}"
 BuildRequires:        valgrind
@@ -91,6 +92,9 @@ cd -
 %doc %{_pkgdocdir}
 
 %changelog
+* Thu Jul 11 2024 zhangxianting <zhangxianting@uniontech.com> - 1.1.0-13
+- Fix CVE-2024-38517
+
 * Mon Apr 29 2024 yinsist <jianhui.oerv@isrc.iscas.ac.cn> - 1.1.0-12
 - Valgrind does not support certain architectures like RISC-V, Before depending on Valgrind, first check if Valgrind supports the architecture