add contributors

Add some tests for setting NULL to deallocated pointers
releated to #842 and #833

CHANGELOG.md

@@ -1,3 +1,13 @@
+1.7.18 (May 13, 2024)
+======
+Fixes:
+------
+* Add NULL check to cJSON_SetValuestring()(CVE-2024-31755), see #839 and #840
+* Remove non-functional list handling of compiler flags, see #851
+* Fix heap buffer overflow, see #852
+* remove misused optimization flag -01, see #854
+* Set free'd pointers to NULL whenever they are not reassigned immediately after, see #855 and #833
+
 1.7.17 (Dec 26, 2023)
 ======
 Fixes:

CMakeLists.txt

@@ -2,7 +2,7 @@ set(CMAKE_LEGACY_CYGWIN_WIN32 0)
 cmake_minimum_required(VERSION 3.0)
 
 project(cJSON
-    VERSION 1.7.17
+    VERSION 1.7.18
     LANGUAGES C)
 
 cmake_policy(SET CMP0054 NEW)  # set CMP0054 policy
@@ -70,7 +70,6 @@ if (ENABLE_SANITIZERS)
         -fsanitize=float-cast-overflow
         -fsanitize-address-use-after-scope
         -fsanitize=integer
-        -01
         -fno-sanitize-recover
         )
 endif()
@@ -102,13 +101,10 @@ foreach(compiler_flag ${custom_compiler_flags})
 
     CHECK_C_COMPILER_FLAG(${compiler_flag} "FLAG_SUPPORTED_${current_variable}")
     if (FLAG_SUPPORTED_${current_variable})
-        list(APPEND supported_compiler_flags)
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${compiler_flag}")
     endif()
 endforeach()
 
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${supported_compiler_flags}")
-
 option(BUILD_SHARED_LIBS "Build shared libraries" ON)
 option(ENABLE_TARGET_EXPORT "Enable exporting of CMake targets. Disable when it causes problems!" ON)
 

CONTRIBUTORS.md

@@ -45,6 +45,8 @@ Contributors:
 * [Kevin Sapper](https://github.com/sappo)
 * [Kyle Chisholm](https://github.com/ChisholmKyle)
 * [Linus Wallgren](https://github.com/ecksun)
+* [Luo Jin](https://github.com/Up-wind)
+* [Max](https://github.com/maebex)
 * [MaxBrandtner](https://github.com/MaxBrandtner)
 * [Mateusz Szafoni](https://github.com/raiden00pl)
 * Mike Pontillo
@@ -55,6 +57,7 @@ Contributors:
 * [Moorthy](https://github.com/moorthy-bs)
 * [myd7349](https://github.com/myd7349)
 * [NancyLi1013](https://github.com/NancyLi1013)
+* [Orri](https://github.com/sbvoxel)
 * Paulo Antonio Alvarez
 * [Paweł Malowany](https://github.com/PawelMalowany)
 * [Pawel Winogrodzki](https://github.com/PawelWMS)

Makefile

@@ -8,7 +8,7 @@ CJSON_TEST_SRC = cJSON.c test.c
 
 LDLIBS = -lm
 
-LIBVERSION = 1.7.17
+LIBVERSION = 1.7.18
 CJSON_SOVERSION = 1
 UTILS_SOVERSION = 1
 

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Supported Versions
+
+Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to cjson team privately, to minimize attacks against current users of cjson before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.
+
+## Reporting a Vulnerability
+
+If you know of a publicly disclosed security vulnerability for cjson, please IMMEDIATELY contact wp_scut@163.com and peterlee@apache.org to inform the cjson Team.
+
+IMPORTANT: Do not file public issues on GitHub for security vulnerabilities.

cJSON.c

@@ -117,7 +117,7 @@ CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item)
 }
 
 /* This is a safeguard to prevent copy-pasters from using incompatible C and header files */
-#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 17)
+#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 18)
     #error cJSON.h and cJSON.c have different versions. Make sure that both have the same.
 #endif
 
@@ -263,10 +263,12 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *item)
         if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL))
         {
             global_hooks.deallocate(item->valuestring);
+            item->valuestring = NULL;
         }
         if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
         {
             global_hooks.deallocate(item->string);
+            item->string = NULL;
         }
         global_hooks.deallocate(item);
         item = next;
@@ -397,6 +399,7 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number)
     return object->valuedouble = number;
 }
 
+/* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as an error and return NULL */
 CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
 {
     char *copy = NULL;
@@ -405,8 +408,8 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
     {
         return NULL;
     }
-    /* return NULL if the object is corrupted */
-    if (object->valuestring == NULL)
+    /* return NULL if the object is corrupted or valuestring is NULL */
+    if (object->valuestring == NULL || valuestring == NULL)
     {
         return NULL;
     }
@@ -893,6 +896,7 @@ fail:
     if (output != NULL)
     {
         input_buffer->hooks.deallocate(output);
+        output = NULL;
     }
 
     if (input_pointer != NULL)
@@ -1235,6 +1239,7 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i
 
         /* free the buffer */
         hooks->deallocate(buffer->buffer);
+        buffer->buffer = NULL;
     }
 
     return printed;
@@ -1243,11 +1248,13 @@ fail:
     if (buffer->buffer != NULL)
     {
         hooks->deallocate(buffer->buffer);
+        buffer->buffer = NULL;
     }
 
     if (printed != NULL)
     {
         hooks->deallocate(printed);
+        printed = NULL;
     }
 
     return NULL;
@@ -1288,6 +1295,7 @@ CJSON_PUBLIC(char *) cJSON_PrintBuffered(const cJSON *item, int prebuffer, cJSON
     if (!print_value(item, &p))
     {
         global_hooks.deallocate(p.buffer);
+        p.buffer = NULL;
         return NULL;
     }
 
@@ -1659,6 +1667,11 @@ static cJSON_bool parse_object(cJSON * const item, parse_buffer * const input_bu
             current_item = new_item;
         }
 
+        if (cannot_access_at_index(input_buffer, 1))
+        {
+            goto fail; /* nothing comes after the comma */
+        }
+
         /* parse the name of the child */
         input_buffer->offset++;
         buffer_skip_whitespace(input_buffer);
@@ -3126,4 +3139,5 @@ CJSON_PUBLIC(void *) cJSON_malloc(size_t size)
 CJSON_PUBLIC(void) cJSON_free(void *object)
 {
     global_hooks.deallocate(object);
+    object = NULL;
 }

cJSON.h

@@ -81,7 +81,7 @@ then using the CJSON_API_VISIBILITY flag to "export" the same symbols the way CJ
 /* project version */
 #define CJSON_VERSION_MAJOR 1
 #define CJSON_VERSION_MINOR 7
-#define CJSON_VERSION_PATCH 17
+#define CJSON_VERSION_PATCH 18
 
 #include <stddef.h>
 

tests/CMakeLists.txt

@@ -62,6 +62,7 @@ if(ENABLE_CJSON_TEST)
 
     option(ENABLE_VALGRIND OFF "Enable the valgrind memory checker for the tests.")
     if (ENABLE_VALGRIND)
+        add_compile_definitions(ENABLE_VALGRIND)
         find_program(MEMORYCHECK_COMMAND valgrind)
         if ("${MEMORYCHECK_COMMAND}" MATCHES "MEMORYCHECK_COMMAND-NOTFOUND")
             message(WARNING "Valgrind couldn't be found.")

tests/misc_tests.c

@@ -444,6 +444,7 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
     TEST_ASSERT_FALSE(cJSON_Compare(NULL, item, false));
     TEST_ASSERT_NULL(cJSON_SetValuestring(NULL, "test"));
     TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
+    TEST_ASSERT_NULL(cJSON_SetValuestring(item, NULL));
     cJSON_Minify(NULL);
     /* skipped because it is only used via a macro that checks for NULL */
     /* cJSON_SetNumberHelper(NULL, 0); */
@@ -731,6 +732,23 @@ static void cjson_set_bool_value_must_not_break_objects(void)
     cJSON_Delete(sobj);
 }
 
+static void deallocated_pointers_should_be_set_to_null(void)
+{
+    /* deallocated pointers should be set to null */
+    /* however, valgrind on linux reports when attempting to access a freed memory, we have to skip it */
+#ifndef ENABLE_VALGRIND
+    cJSON *string = cJSON_CreateString("item");
+    cJSON *root = cJSON_CreateObject();
+
+    cJSON_Delete(string);
+    free(string->valuestring);
+
+    cJSON_AddObjectToObject(root, "object");
+    cJSON_Delete(root->child);
+    free(root->child->string);
+#endif
+}
+
 int CJSON_CDECL main(void)
 {
     UNITY_BEGIN();
@@ -761,6 +779,7 @@ int CJSON_CDECL main(void)
     RUN_TEST(cjson_delete_item_from_array_should_not_broken_list_structure);
     RUN_TEST(cjson_set_valuestring_to_object_should_not_leak_memory);
     RUN_TEST(cjson_set_bool_value_must_not_break_objects);
+    RUN_TEST(deallocated_pointers_should_be_set_to_null);
 
     return UNITY_END();
 }

tests/parse_examples.c

@@ -250,6 +250,33 @@ static void test14_should_not_be_parsed(void)
     }
 }
 
+/* Address Sanitizer */
+static void test15_should_not_heap_buffer_overflow(void)
+{
+    const char *strings[] = {
+        "{\"1\":1,",
+        "{\"1\":1, ",
+    };
+
+    size_t i;
+
+    for (i = 0; i < sizeof(strings) / sizeof(strings[0]); i+=1)
+    {
+        const char *json_string = strings[i];
+        size_t len = strlen(json_string);
+        cJSON *json = NULL;
+
+        char *exact_size_heap = (char*)malloc(len);
+        TEST_ASSERT_NOT_NULL(exact_size_heap);
+
+        memcpy(exact_size_heap, json_string, len);
+        json = cJSON_ParseWithLength(exact_size_heap, len);
+
+        cJSON_Delete(json);
+        free(exact_size_heap);
+    }
+}
+
 int CJSON_CDECL main(void)
 {
     UNITY_BEGIN();
@@ -267,5 +294,6 @@ int CJSON_CDECL main(void)
     RUN_TEST(test12_should_not_be_parsed);
     RUN_TEST(test13_should_be_parsed_without_null_termination);
     RUN_TEST(test14_should_not_be_parsed);
+    RUN_TEST(test15_should_not_heap_buffer_overflow);
     return UNITY_END();
 }