Fix: Type Confusion vulnerability in cJSON_Utils caused by missing type check (#1006 )

fix: prevent NULL pointer dereference in cJSON_SetNumberHelper (#991 )
Add NULL check at the beginning of cJSON_SetNumberHelper to prevent segmentation fault when called with NULL object pointer. The function now returns NAN (Not-a-Number) when object is NULL, consistent with error handling patterns in other cJSON functions. This fixes a Denial of Service vulnerability (CWE-476) where an attacker could crash applications using the cJSON library by triggering this function with a NULL pointer. Changes: - cJSON.c: Add NULL check in cJSON_SetNumberHelper - tests/misc_tests.c: Add test case and math.h include Security: Fixes NULL pointer dereference vulnerability
2026-06-10 23:34:39 +00:00 · 2026-04-09 09:59:11 +08:00 · 2026-03-12 19:18:36 +08:00 · 2026-03-12 19:18:15 +08:00 · 2026-02-25 15:40:05 +08:00 · 2026-02-07 17:13:51 +08:00
6 changed files with 22 additions and 6 deletions
@@ -1,5 +1,5 @@
 set(CMAKE_LEGACY_CYGWIN_WIN32 0)
-cmake_minimum_required(VERSION 3.0)
+cmake_minimum_required(VERSION 3.5)

 project(cJSON
    VERSION 1.7.19
@@ -89,7 +89,7 @@ cJSON is written in ANSI C (C89) in order to support as many platforms and compi

 #### CMake

-With CMake, cJSON supports a full blown build system. This way you get the most features. CMake with an equal or higher version than 2.8.5 is supported. With CMake it is recommended to do an out of tree build, meaning the compiled files are put in a directory separate from the source files. So in order to build cJSON with CMake on a Unix platform, make a `build` directory and run CMake inside it.
+With CMake, cJSON supports a full blown build system. This way you get the most features. CMake with an equal or higher version than 3.5 is supported. With CMake it is recommended to do an out of tree build, meaning the compiled files are put in a directory separate from the source files. So in order to build cJSON with CMake on a Unix platform, make a `build` directory and run CMake inside it.

 ```
 mkdir build
@@ -410,6 +410,11 @@ loop_end:
 /* don't ask me, but the original cJSON_SetNumberValue returns an integer or double */
 CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number)
 {
+    if (object == NULL)
+    {
+        return (double)NAN;
+    }
+
    if (number >= INT_MAX)
    {
        object->valueint = INT_MAX;
@@ -1598,6 +1603,11 @@ static cJSON_bool print_array(const cJSON * const item, printbuffer * const outp
        return false;
    }

+    if (output_buffer->depth >= CJSON_NESTING_LIMIT)
+    {
+        return false; /* nesting is too deep */
+    }
+
    /* Compose the output array. */
    /* opening square bracket */
    output_pointer = ensure(output_buffer, 1);
@@ -1778,6 +1788,11 @@ static cJSON_bool print_object(const cJSON * const item, printbuffer * const out
        return false;
    }

+    if (output_buffer->depth >= CJSON_NESTING_LIMIT)
+    {
+        return false; /* nesting is too deep */
+    }
+
    /* Compose the output: */
    length = (size_t) (output_buffer->format ? 2 : 1); /* fmt: {\n */
    output_pointer = ensure(output_buffer, length + 1);
@@ -906,7 +906,7 @@ static int apply_patch(cJSON *object, const cJSON *patch, const cJSON_bool case_
    if ((opcode == MOVE) || (opcode == COPY))
    {
        cJSON *from = get_object_item(patch, "from", case_sensitive);
-        if (from == NULL)
+        if (!cJSON_IsString(from))
        {
            /* missing "from" for copy/move. */
            status = 4;
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 2.8.5)
+cmake_minimum_required(VERSION 3.5)

 set(MANIFEST "${CMAKE_CURRENT_BINARY_DIR}/install_manifest.txt")

@@ -23,6 +23,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <math.h>

 #include "unity/examples/unity_config.h"
 #include "unity/src/unity.h"
@@ -478,8 +479,8 @@ static void cjson_functions_should_not_crash_with_null_pointers(void)
    TEST_ASSERT_NULL(cJSON_SetValuestring(corruptedString, "test"));
    TEST_ASSERT_NULL(cJSON_SetValuestring(item, NULL));
    cJSON_Minify(NULL);
-    /* skipped because it is only used via a macro that checks for NULL */
-    /* cJSON_SetNumberHelper(NULL, 0); */
+    /* cJSON_SetNumberHelper should handle NULL gracefully */
+    TEST_ASSERT_TRUE(isnan(cJSON_SetNumberHelper(NULL, 0)));

    /* restore corrupted item2 to delete it */
    item2->prev = originalPrev;
Author	SHA1	Message	Date
Ssh1y Ripple	fb16e5cf35	Fix: Type Confusion vulnerability in cJSON_Utils caused by missing type check (#1006 )	2026-04-09 09:59:11 +08:00
Lee	b2890c8d76	fix: prevent NULL pointer dereference in cJSON_SetNumberHelper (#991 ) Add NULL check at the beginning of cJSON_SetNumberHelper to prevent segmentation fault when called with NULL object pointer. The function now returns NAN (Not-a-Number) when object is NULL, consistent with error handling patterns in other cJSON functions. This fixes a Denial of Service vulnerability (CWE-476) where an attacker could crash applications using the cJSON library by triggering this function with a NULL pointer. Changes: - cJSON.c: Add NULL check in cJSON_SetNumberHelper - tests/misc_tests.c: Add test case and math.h include Security: Fixes NULL pointer dereference vulnerability	2026-03-12 19:18:36 +08:00
Lee	a3f3d6c784	docs: fix outdated CMake version requirement in README (#990 ) The README stated that CMake 2.8.5+ was required, but CMakeLists.txt requires CMake 3.5+. This inconsistency caused confusion for users with CMake versions between 2.8.5 and 3.5. Also updated library_config/uninstall.cmake to match for consistency. Fixes #988	2026-03-12 19:18:15 +08:00
liloler	5cc0e39f42	Fix: add depth check to prevent stack overflow in cJSON_Print (#984 )	2026-02-25 15:40:05 +08:00
Lee	a29814f285	upgrade version of cmake_minimum_required (#986 ) github actions fix	2026-02-07 17:13:51 +08:00