packages/rapidjson
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:2eff54f282bc0a29a8dcd168487c31f2eaa02ac2
Branches Tags
packages:main
..
compare: packages:c804261b12a2045090becc4758eb52201785f762
Branches Tags
packages:main

10 Commits
2eff54f282 ... c804261b12

Author SHA1 Message Date
openeuler-ci-bot
c804261b12
!12 Fix CVE-2024-38517 
From: @zhangxianting 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen
 2024-07-11 03:35:02 +00:00
zhangxianting
b7ef121235 Fix CVE-2024-38517 2024-07-04 17:43:37 +08:00
openeuler-ci-bot
9066f99d01
!10 first check if Valgrind supports the build architecture 
From: @yinist 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
 2024-05-07 01:14:09 +00:00
Yinsist
758546bf6a first check if Valgrind supports the architecture 2024-04-29 13:51:33 +00:00
openeuler-ci-bot
c984481785
!9 Do not force C++11: gtest 1.13.0 requires at least C++14 
From: @lyn1001 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
 2023-08-28 07:02:50 +00:00
lyn1001
1f1d96d7f8 Do not force C++11: gtest 1.13.0 requires at least C++14 2023-08-25 15:40:10 +08:00
openeuler-ci-bot
b57f223611 !5 fix tag_prefix error 
From: @hht8
Reviewed-by: @licihua
Signed-off-by: @licihua
 2021-01-05 16:38:27 +08:00
hht8
a7b4acff75 fix tag_prefix error 2021-01-05 16:28:31 +08:00
openeuler-ci-bot
bc8f46c727 !4 【轻量级 PR】:修改拼写错误 
Merge pull request !4 from Monday/N/A
 2020-08-10 09:46:57 +08:00
Monday
7afb980d8b 修改拼写错误 2020-08-09 12:24:35 +08:00
3 changed files with 78 additions and 6 deletions
Show Stats Expand all files Collapse all files

59
backport-CVE-2024-38517.patch Normal file
View File

@ -0,0 +1,59 @@
From 8269bc2bc289e9d343bae51cdf6d23ef0950e001 Mon Sep 17 00:00:00 2001
From: Florin Malita <fmalita@gmail.com>
Date: Tue, 15 May 2018 22:48:07 -0400
Subject: [PATCH] Prevent int underflow when parsing exponents
When parsing negative exponents, the current implementation takes
precautions for |exp| to not underflow int.
But that is not sufficient: later on [1], |exp + expFrac| is also
stored to an int - so we must ensure that the sum stays within int
representable values.
Update the exp clamping logic to take expFrac into account.
[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690
---
include/rapidjson/reader.h | 11 ++++++++++-
test/unittest/readertest.cpp | 1 +
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h
index 7441eda4..f95aef42 100644
--- a/include/rapidjson/reader.h
+++ b/include/rapidjson/reader.h
@@ -1632,9 +1632,18 @@ private:
if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
exp = static_cast<int>(s.Take() - '0');
if (expMinus) {
+ // (exp + expFrac) must not underflow int => we're detecting when -exp gets
+ // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into
+ // underflow territory):
+ //
+ // -(exp * 10 + 9) + expFrac >= INT_MIN
+ // <=> exp <= (expFrac - INT_MIN - 9) / 10
+ RAPIDJSON_ASSERT(expFrac <= 0);
+ int maxExp = (expFrac + 2147483639) / 10;
+
while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) {
exp = exp * 10 + static_cast<int>(s.Take() - '0');
- if (exp >= 214748364) { // Issue #313: prevent overflow exponent
+ if (RAPIDJSON_UNLIKELY(exp > maxExp)) {
while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9')) // Consume the rest of exponent
s.Take();
}
diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp
index e5308019..c4800b93 100644
--- a/test/unittest/readertest.cpp
+++ b/test/unittest/readertest.cpp
@@ -242,6 +242,7 @@ static void TestParseDouble() {
TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0); // Maximum supported negative exponent
TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0);
TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0);
+ TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0);
TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form
// Since
--
2.20.1

19
rapidjson.spec
View File

@ -1,13 +1,17 @@
%global debug_package %{nil}
Name: rapidjson
Version: 1.1.0
Release: 10
Release: 13
Summary: small & selft-contained fast JSON parser and generator for C++
License: MIT
URL: http://miloyip.github.io/rapidjson
Source0: https://github.com/miloyip/rapidjson/archive/v%{version}.tar.gz#/rapidjson-%{version}.tar.gz
Patch0000: rapidjson-1.1.0-do_not_include_gtest_src_dir.patch
BuildRequires: cmake gcc-c++ gtest-devel valgrind
Patch0001: backport-CVE-2024-38517.patch
BuildRequires: cmake gcc-c++ gtest-devel
%ifarch "%{valgrind_arches}"
BuildRequires: valgrind
%endif
%description
RapidJSON as a fast JSON parser which generator for c++. It`s inspired by
@ -54,7 +58,7 @@ done
%build
cd build
%cmake -DDOC_INSTALL_DIR=%{_pkgdocdir} -DGTESTSRC_FOUND=TRUE -DGTEST_SOURCE_DIR=. ..
%cmake -DDOC_INSTALL_DIR=%{_pkgdocdir} -DRAPIDJSON_BUILD_CXX11:BOOL=OFF -DGTESTSRC_FOUND=TRUE -DGTEST_SOURCE_DIR=. ..
%make_build
cd -
@ -88,6 +92,15 @@ cd -
%doc %{_pkgdocdir}
%changelog
* Thu Jul 11 2024 zhangxianting <zhangxianting@uniontech.com> - 1.1.0-13
- Fix CVE-2024-38517
* Mon Apr 29 2024 yinsist <jianhui.oerv@isrc.iscas.ac.cn> - 1.1.0-12
- Valgrind does not support certain architectures like RISC-V, Before depending on Valgrind, first check if Valgrind supports the architecture
* Fri Aug 25 2023 liyanan <thistleslyn@163.com> - 1.1.0-11
- Do not force C++11: gtest 1.13.0 requires at least C++14
* Wed Jul 29 2020 lingsheng <lingsheng@huawei.com> - 1.1.0-10
- Not use hardlink absolute path

6
rapidjson.yaml
View File

@ -1,4 +1,4 @@
version-control: github
version_control: github
src_repo: Tencent/rapidjson
tag_prefix: v^
seperator: .
tag_prefix: "^v"
separator: .