|
| 1 | +From 02bebb13f150e1585dc799c84f04e2df0669dd45 Mon Sep 17 00:00:00 2001 |
| 2 | +From: BinduSri-6522866 < [email protected]> |
| 3 | +Date: Mon, 30 Jun 2025 03:04:16 +0000 |
| 4 | +Subject: [PATCH] Address CVE-2023-2681.patch |
| 5 | + |
| 6 | +Upstream Patch reference: https://github.com/DaveGamble/cJSON/commit/a328d65ad490b64da8c87523cbbfe16050ba5bf6 |
| 7 | +--- |
| 8 | + src/util/cJSON.c | 37 ++++++++++++++++++++++++++++++++----- |
| 9 | + 1 file changed, 32 insertions(+), 5 deletions(-) |
| 10 | + |
| 11 | +diff --git a/src/util/cJSON.c b/src/util/cJSON.c |
| 12 | +index b0bc3e8..4955fe6 100644 |
| 13 | +--- a/src/util/cJSON.c |
| 14 | ++++ b/src/util/cJSON.c |
| 15 | +@@ -277,9 +277,11 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu |
| 16 | + { |
| 17 | + double number = 0; |
| 18 | + unsigned char *after_end = NULL; |
| 19 | +- unsigned char number_c_string[64]; |
| 20 | ++ unsigned char *number_c_string; |
| 21 | + unsigned char decimal_point = get_decimal_point(); |
| 22 | + size_t i = 0; |
| 23 | ++ size_t number_string_length = 0; |
| 24 | ++ cJSON_bool has_decimal_point = false; |
| 25 | + |
| 26 | + if ((input_buffer == NULL) || (input_buffer->content == NULL)) |
| 27 | + { |
| 28 | +@@ -289,7 +291,7 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu |
| 29 | + /* copy the number into a temporary buffer and replace '.' with the decimal point |
| 30 | + * of the current locale (for strtod) |
| 31 | + * This also takes care of '\0' not necessarily being available for marking the end of the input */ |
| 32 | +- for (i = 0; (i < (sizeof(number_c_string) - 1)) && can_access_at_index(input_buffer, i); i++) |
| 33 | ++ for (i = 0; can_access_at_index(input_buffer, i); i++) |
| 34 | + { |
| 35 | + switch (buffer_at_offset(input_buffer)[i]) |
| 36 | + { |
| 37 | +@@ -307,11 +309,12 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu |
| 38 | + case '-': |
| 39 | + case 'e': |
| 40 | + case 'E': |
| 41 | +- number_c_string[i] = buffer_at_offset(input_buffer)[i]; |
| 42 | ++ number_string_length++; |
| 43 | + break; |
| 44 | + |
| 45 | + case '.': |
| 46 | +- number_c_string[i] = decimal_point; |
| 47 | ++ number_string_length++; |
| 48 | ++ has_decimal_point = true; |
| 49 | + break; |
| 50 | + |
| 51 | + default: |
| 52 | +@@ -319,11 +322,33 @@ static cJSON_bool parse_number(cJSON * const item, parse_buffer * const input_bu |
| 53 | + } |
| 54 | + } |
| 55 | + loop_end: |
| 56 | +- number_c_string[i] = '\0'; |
| 57 | ++ /* malloc for temporary buffer, add 1 for '\0' */ |
| 58 | ++ number_c_string = (unsigned char *) input_buffer->hooks.allocate(number_string_length + 1); |
| 59 | ++ if (number_c_string == NULL) |
| 60 | ++ { |
| 61 | ++ return false; /* allocation failure */ |
| 62 | ++ } |
| 63 | ++ |
| 64 | ++ memcpy(number_c_string, buffer_at_offset(input_buffer), number_string_length); |
| 65 | ++ number_c_string[number_string_length] = '\0'; |
| 66 | ++ |
| 67 | ++ if (has_decimal_point) |
| 68 | ++ { |
| 69 | ++ for (i = 0; i < number_string_length; i++) |
| 70 | ++ { |
| 71 | ++ if (number_c_string[i] == '.') |
| 72 | ++ { |
| 73 | ++ /* replace '.' with the decimal point of the current locale (for strtod) */ |
| 74 | ++ number_c_string[i] = decimal_point; |
| 75 | ++ } |
| 76 | ++ } |
| 77 | ++ } |
| 78 | + |
| 79 | + number = strtod((const char*)number_c_string, (char**)&after_end); |
| 80 | + if (number_c_string == after_end) |
| 81 | + { |
| 82 | ++ /* free the temporary buffer */ |
| 83 | ++ input_buffer->hooks.deallocate(number_c_string); |
| 84 | + return false; /* parse_error */ |
| 85 | + } |
| 86 | + |
| 87 | +@@ -346,6 +371,8 @@ loop_end: |
| 88 | + item->type = cJSON_Number; |
| 89 | + |
| 90 | + input_buffer->offset += (size_t)(after_end - number_c_string); |
| 91 | ++ /* free the temporary buffer */ |
| 92 | ++ input_buffer->hooks.deallocate(number_c_string); |
| 93 | + return true; |
| 94 | + } |
| 95 | + |
| 96 | +-- |
| 97 | +2.45.3 |
| 98 | + |
0 commit comments