Merge pull request #355 from DaveGamble/release-1.7.12

Release 1.7.12

CHANGELOG.md

@@ -1,3 +1,12 @@
+1.7.12
+======
+Fixes:
+------
+* Fix infinite loop in `cJSON_Minify` (potential Denial of Service), thanks @Alanscut for reporting. See #354
+* Fix link error for Visual Studio. Thanks @tan-wei, see #352
+* Undefine `true` and `false` for `cJSON_Utils` before redefining them. Thanks @raiden00pl, see #347
+
+
 1.7.11
 ======
 Fixes:

CMakeLists.txt

@@ -7,7 +7,7 @@ include(GNUInstallDirs)
 
 set(PROJECT_VERSION_MAJOR 1)
 set(PROJECT_VERSION_MINOR 7)
-set(PROJECT_VERSION_PATCH 11)
+set(PROJECT_VERSION_PATCH 12)
 set(CJSON_VERSION_SO 1)
 set(CJSON_UTILS_VERSION_SO 1)
 set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}.${PROJECT_VERSION_PATCH}")

CONTRIBUTORS.md

@@ -14,6 +14,7 @@ Current Maintainer: [Max Bruckner](https://github.com/FSMaxB)
 * [Debora Grosse](https://github.com/DeboraG)
 * [dieyushi](https://github.com/dieyushi)
 * [Dōngwén Huáng (黄东文)](https://github.com/DongwenHuang)
+* [Donough Liu](https://github.com/ldm0)
 * Eswar Yaganti
 * [Evan Todd](https://github.com/etodd)
 * [Fabrice Fontaine](https://github.com/ffontaine)
@@ -34,12 +35,14 @@ Current Maintainer: [Max Bruckner](https://github.com/FSMaxB)
 * [Pawel Winogrodzki](https://github.com/PawelWMS)
 * [prefetchnta](https://github.com/prefetchnta)
 * [Rafael Leal Dias](https://github.com/rafaeldias)
+* [raiden00pl](https://github.com/raiden00pl)
 * [Robin Mallinson](https://github.com/rmallins)
 * [Rod Vagg](https://github.com/rvagg)
 * [Roland Meertens](https://github.com/rmeertens)
 * [Romain Porte](https://github.com/MicroJoe)
 * [Simon Ricaldone](https://github.com/simon-p-r)
 * [Stephan Gatzka](https://github.com/gatzka)
+* [tan-wei](https://github.com/tan-wei)
 * [Weston Schmidt](https://github.com/schmidtw)
 * [yangfl](https://github.com/yangfl)
 * [yuta-oxo](https://github.com/yuta-oxo)

Makefile

@@ -8,7 +8,7 @@ CJSON_TEST_SRC = cJSON.c test.c
 
 LDLIBS = -lm
 
-LIBVERSION = 1.7.11
+LIBVERSION = 1.7.12
 CJSON_SOVERSION = 1
 UTILS_SOVERSION = 1
 

cJSON.c

@@ -88,7 +88,7 @@ CJSON_PUBLIC(char *) cJSON_GetStringValue(cJSON *item) {
 }
 
 /* This is a safeguard to prevent copy-pasters from using incompatible C and header files */
-#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 11)
+#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 12)
     #error cJSON.h and cJSON.c have different versions. Make sure that both have the same.
 #endif
 
@@ -514,7 +514,7 @@ static cJSON_bool print_number(const cJSON * const item, printbuffer * const out
         }
     }
 
-    /* sprintf failed or buffer overrun occured */
+    /* sprintf failed or buffer overrun occurred */
     if ((length < 0) || (length > (int)(sizeof(number_buffer) - 1)))
     {
         return false;
@@ -1565,7 +1565,7 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
         buffer_skip_whitespace(input_buffer);
         if (!parse_string(current_item, input_buffer))
         {
-            goto fail; /* faile to parse name */
+            goto fail; /* failed to parse name */
         }
         buffer_skip_whitespace(input_buffer);
 
@@ -2717,6 +2717,8 @@ CJSON_PUBLIC(void) cJSON_Minify(char *json)
                 else if (json[1] == '*')
                 {
                     skip_multiline_comment(&json);
+                } else {
+                    json++;
                 }
                 break;
 

cJSON.h

@@ -81,7 +81,7 @@ then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJ
 /* project version */
 #define CJSON_VERSION_MAJOR 1
 #define CJSON_VERSION_MINOR 7
-#define CJSON_VERSION_PATCH 11
+#define CJSON_VERSION_PATCH 12
 
 #include <stddef.h>
 

cJSON_Utils.c

@@ -50,7 +50,14 @@
 #include "cJSON_Utils.h"
 
 /* define our own boolean type */
+#ifdef true
+#undef true
+#endif
 #define true ((cJSON_bool)1)
+
+#ifdef false
+#undef false
+#endif
 #define false ((cJSON_bool)0)
 
 static unsigned char* cJSONUtils_strdup(const unsigned char* const string)

tests/CMakeLists.txt

@@ -102,6 +102,9 @@ if(ENABLE_CJSON_TEST)
         foreach (cjson_utils_test ${cjson_utils_tests})
             add_executable("${cjson_utils_test}" "${cjson_utils_test}.c")
             target_link_libraries("${cjson_utils_test}" "${CJSON_LIB}" "${CJSON_UTILS_LIB}" unity)
+            if("${CMAKE_C_COMPILER_ID}" STREQUAL "MSVC")
+                target_sources(${cjson_utils_test} PRIVATE unity_setup.c)
+            endif()
             if(MEMORYCHECK_COMMAND)
                 add_test(NAME "${cjson_utils_test}"
                     COMMAND "${MEMORYCHECK_COMMAND}" ${MEMORYCHECK_COMMAND_OPTIONS} "${CMAKE_CURRENT_BINARY_DIR}/${cjson_utils_test}")

tests/minify_tests.c

@@ -152,6 +152,12 @@ static void cjson_minify_should_minify_json(void) {
     free(buffer);
 }
 
+static void cjson_minify_should_not_loop_infinitely(void) {
+    char string[] = { '8', ' ', '/', ' ', '5', '\n', '\0' };
+    /* this should not be an infinite loop */
+    cJSON_Minify(string);
+}
+
 int CJSON_CDECL main(void)
 {
     UNITY_BEGIN();
@@ -162,6 +168,7 @@ int CJSON_CDECL main(void)
     RUN_TEST(cjson_minify_should_remove_multiline_comments);
     RUN_TEST(cjson_minify_should_remove_spaces);
     RUN_TEST(cjson_minify_should_not_modify_strings);
+    RUN_TEST(cjson_minify_should_not_loop_infinitely);
 
     return UNITY_END();
 }