external/cjson: Update cJSON from upstream v1.7.15-33-gacc7623

+1

doc/changes/misc_fixes/mr.2447.md

··· 1 + Update cJSON to 1.7.18.

+36

src/external/cjson/cjson/CHANGELOG.md

··· 1 + 1.7.18 (May 13, 2024) 2 + ====== 3 + Fixes: 4 + ------ 5 + * Add NULL check to cJSON_SetValuestring()(CVE-2024-31755), see #839 and #840 6 + * Remove non-functional list handling of compiler flags, see #851 7 + * Fix heap buffer overflow, see #852 8 + * remove misused optimization flag -01, see #854 9 + * Set free'd pointers to NULL whenever they are not reassigned immediately after, see #855 and #833 10 + 11 + 1.7.17 (Dec 26, 2023) 12 + ====== 13 + Fixes: 14 + ------ 15 + * Fix null reference in cJSON_SetValuestring(CVE-2023-50472), see #809 16 + * Fix null reference in cJSON_InsertItemInArray(CVE-2023-50471), see #809 and #810 17 + 18 + 1.7.16 (Jul 5, 2023) 19 + ====== 20 + Features: 21 + ------ 22 + * Add an option for ENABLE_CJSON_VERSION_SO in CMakeLists.txt, see #534 23 + * Add cmake_policy to CMakeLists.txt, see #163 24 + * Add cJSON_SetBoolValue, see #639 25 + * Add meson documentation, see #761 26 + 27 + Fixes: 28 + ------ 29 + * Fix memory leak in merge_patch, see #611 30 + * Fix conflicting target names 'uninstall', see #617 31 + * Bump cmake version to 3.0 and use new version syntax, see #587 32 + * Print int without decimal places, see #630 33 + * Fix 'cjson_utils-static' target not exist, see #625 34 + * Add allocate check for replace_item_in_object, see #675 35 + * Fix a null pointer crash in cJSON_ReplaceItemViaPointer, see #726 36 + 1 37 1.7.15 (Aug 25, 2021) 2 38 ====== 3 39 Fixes:

+15

src/external/cjson/cjson/CONTRIBUTORS.md

··· 10 10 11 11 Contributors: 12 12 * [Ajay Bhargav](https://github.com/ajaybhargav) 13 + * [AlexanderVasiljev](https://github.com/AlexanderVasiljev) 13 14 * [Alper Akcan](https://github.com/alperakcan) 14 15 * [Andrew Tang](https://github.com/singku) 16 + * [Andy](https://github.com/mlh0101) 15 17 * [Anton Sergeev](https://github.com/anton-sergeev) 16 18 * [Benbuck Nason](https://github.com/bnason-nf) 17 19 * [Bernt Johan Damslora](https://github.com/bjda) ··· 29 31 * [Fabrice Fontaine](https://github.com/ffontaine) 30 32 * Ian Mobley 31 33 * Irwan Djadjadi 34 + * [hopper-vul](https://github.com/hopper-vul) 32 35 * [HuKeping](https://github.com/HuKeping) 33 36 * [IvanVoid](https://github.com/npi3pak) 34 37 * [Jakub Wilk](https://github.com/jwilk) 35 38 * [Jiri Zouhar](https://github.com/loigu) 36 39 * [Jonathan Fether](https://github.com/jfether) 40 + * [Joshua Arulsamy](https://github.com/jarulsamy) 37 41 * [Julian Ste](https://github.com/julian-st) 38 42 * [Julián Vásquez](https://github.com/juvasquezg) 43 + * [Junbo Zheng](https://github.com/Junbo-Zheng) 39 44 * [Kevin Branigan](https://github.com/kbranigan) 40 45 * [Kevin Sapper](https://github.com/sappo) 41 46 * [Kyle Chisholm](https://github.com/ChisholmKyle) 42 47 * [Linus Wallgren](https://github.com/ecksun) 48 + * [Luo Jin](https://github.com/Up-wind) 49 + * [Max](https://github.com/maebex) 50 + * [MaxBrandtner](https://github.com/MaxBrandtner) 43 51 * [Mateusz Szafoni](https://github.com/raiden00pl) 44 52 * Mike Pontillo 45 53 * [miaoerduo](https://github.com/miaoerduo) 54 + * [mohawk2](https://github.com/mohawk2) 46 55 * [Mike Jerris](https://github.com/mjerris) 47 56 * [Mike Robinson](https://github.com/mhrobinson) 48 57 * [Moorthy](https://github.com/moorthy-bs) 49 58 * [myd7349](https://github.com/myd7349) 50 59 * [NancyLi1013](https://github.com/NancyLi1013) 60 + * [Orri](https://github.com/sbvoxel) 51 61 * Paulo Antonio Alvarez 52 62 * [Paweł Malowany](https://github.com/PawelMalowany) 53 63 * [Pawel Winogrodzki](https://github.com/PawelWMS) ··· 61 71 * [Romain Porte](https://github.com/MicroJoe) 62 72 * [SANJEEV BA](https://github.com/basanjeev) 63 73 * [Sang-Heon Jeon](https://github.com/lntuition) 74 + * [Sayan Bandyopadhyay](https://github.com/saynb) 64 75 * [Simon Sobisch](https://github.com/GitMensch) 65 76 * [Simon Ricaldone](https://github.com/simon-p-r) 77 + * [Stoian Ivanov](https://github.com/sdrsdr) 78 + * [SuperH-0630](https://github.com/SuperH-0630) 66 79 * [Square789](https://github.com/Square789) 67 80 * [Stephan Gatzka](https://github.com/gatzka) 81 + * [Tony Langhammer](https://github.com/BigBrainAFK) 68 82 * [Vemake](https://github.com/vemakereporter) 69 83 * [Wei Tan](https://github.com/tan-wei) 70 84 * [Weston Schmidt](https://github.com/schmidtw) ··· 73 87 * [yuta-oxo](https://github.com/yuta-oxo) 74 88 * [Zach Hindes](https://github.com/zhindes) 75 89 * [Zhao Zhixu](https://github.com/zhaozhixu) 90 + * [10km](https://github.com/10km) 76 91 77 92 And probably more people on [SourceForge](https://sourceforge.net/p/cjson/bugs/search/?q=status%3Aclosed-rejected+or+status%3Aclosed-out-of-date+or+status%3Awont-fix+or+status%3Aclosed-fixed+or+status%3Aclosed&page=0) 78 93

+44 -11

src/external/cjson/cjson/cJSON.c

··· 96 96 return (const char*) (global_error.json + global_error.position); 97 97 } 98 98 99 - CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) 99 + CJSON_PUBLIC(char *) cJSON_GetStringValue(const cJSON * const item) 100 100 { 101 - if (!cJSON_IsString(item)) 101 + if (!cJSON_IsString(item)) 102 102 { 103 103 return NULL; 104 104 } ··· 106 106 return item->valuestring; 107 107 } 108 108 109 - CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) 109 + CJSON_PUBLIC(double) cJSON_GetNumberValue(const cJSON * const item) 110 110 { 111 - if (!cJSON_IsNumber(item)) 111 + if (!cJSON_IsNumber(item)) 112 112 { 113 113 return (double) NAN; 114 114 } ··· 117 117 } 118 118 119 119 /* This is a safeguard to prevent copy-pasters from using incompatible C and header files */ 120 - #if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 15) 120 + #if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 18) 121 121 #error cJSON.h and cJSON.c have different versions. Make sure that both have the same. 122 122 #endif 123 123 ··· 263 263 if (!(item->type & cJSON_IsReference) && (item->valuestring != NULL)) 264 264 { 265 265 global_hooks.deallocate(item->valuestring); 266 + item->valuestring = NULL; 266 267 } 267 268 if (!(item->type & cJSON_StringIsConst) && (item->string != NULL)) 268 269 { 269 270 global_hooks.deallocate(item->string); 271 + item->string = NULL; 270 272 } 271 273 global_hooks.deallocate(item); 272 274 item = next; ··· 397 399 return object->valuedouble = number; 398 400 } 399 401 402 + /* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as an error and return NULL */ 400 403 CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring) 401 404 { 402 405 char *copy = NULL; 403 406 /* if object's type is not cJSON_String or is cJSON_IsReference, it should not set valuestring */ 404 - if (!(object->type & cJSON_String) || (object->type & cJSON_IsReference)) 407 + if ((object == NULL) || !(object->type & cJSON_String) || (object->type & cJSON_IsReference)) 408 + { 409 + return NULL; 410 + } 411 + /* return NULL if the object is corrupted or valuestring is NULL */ 412 + if (object->valuestring == NULL || valuestring == NULL) 405 413 { 406 414 return NULL; 407 415 } ··· 511 519 512 520 return NULL; 513 521 } 514 - 522 + 515 523 memcpy(newbuffer, p->buffer, p->offset + 1); 516 524 p->hooks.deallocate(p->buffer); 517 525 } ··· 562 570 { 563 571 length = sprintf((char*)number_buffer, "null"); 564 572 } 573 + else if(d == (double)item->valueint) 574 + { 575 + length = sprintf((char*)number_buffer, "%d", item->valueint); 576 + } 565 577 else 566 578 { 567 579 /* Try 15 decimal places of precision to avoid nonsignificant nonzero digits */ ··· 884 896 if (output != NULL) 885 897 { 886 898 input_buffer->hooks.deallocate(output); 899 + output = NULL; 887 900 } 888 901 889 902 if (input_pointer != NULL) ··· 1103 1116 } 1104 1117 1105 1118 buffer.content = (const unsigned char*)value; 1106 - buffer.length = buffer_length; 1119 + buffer.length = buffer_length; 1107 1120 buffer.offset = 0; 1108 1121 buffer.hooks = global_hooks; 1109 1122 ··· 1226 1239 1227 1240 /* free the buffer */ 1228 1241 hooks->deallocate(buffer->buffer); 1242 + buffer->buffer = NULL; 1229 1243 } 1230 1244 1231 1245 return printed; ··· 1234 1248 if (buffer->buffer != NULL) 1235 1249 { 1236 1250 hooks->deallocate(buffer->buffer); 1251 + buffer->buffer = NULL; 1237 1252 } 1238 1253 1239 1254 if (printed != NULL) 1240 1255 { 1241 1256 hooks->deallocate(printed); 1257 + printed = NULL; 1242 1258 } 1243 1259 1244 1260 return NULL; ··· 1279 1295 if (!print_value(item, &p)) 1280 1296 { 1281 1297 global_hooks.deallocate(p.buffer); 1298 + p.buffer = NULL; 1282 1299 return NULL; 1283 1300 } 1284 1301 ··· 1648 1665 current_item->next = new_item; 1649 1666 new_item->prev = current_item; 1650 1667 current_item = new_item; 1668 + } 1669 + 1670 + if (cannot_access_at_index(input_buffer, 1)) 1671 + { 1672 + goto fail; /* nothing comes after the comma */ 1651 1673 } 1652 1674 1653 1675 /* parse the name of the child */ ··· 2260 2282 { 2261 2283 cJSON *after_inserted = NULL; 2262 2284 2263 - if (which < 0) 2285 + if (which < 0 || newitem == NULL) 2264 2286 { 2265 2287 return false; 2266 2288 } ··· 2271 2293 return add_item_to_array(array, newitem); 2272 2294 } 2273 2295 2296 + if (after_inserted != array->child && after_inserted->prev == NULL) { 2297 + /* return false if after_inserted is a corrupted array item */ 2298 + return false; 2299 + } 2300 + 2274 2301 newitem->next = after_inserted; 2275 2302 newitem->prev = after_inserted->prev; 2276 2303 after_inserted->prev = newitem; ··· 2287 2314 2288 2315 CJSON_PUBLIC(cJSON_bool) cJSON_ReplaceItemViaPointer(cJSON * const parent, cJSON * const item, cJSON * replacement) 2289 2316 { 2290 - if ((parent == NULL) || (replacement == NULL) || (item == NULL)) 2317 + if ((parent == NULL) || (parent->child == NULL) || (replacement == NULL) || (item == NULL)) 2291 2318 { 2292 2319 return false; 2293 2320 } ··· 2357 2384 cJSON_free(replacement->string); 2358 2385 } 2359 2386 replacement->string = (char*)cJSON_strdup((const unsigned char*)string, &global_hooks); 2387 + if (replacement->string == NULL) 2388 + { 2389 + return false; 2390 + } 2391 + 2360 2392 replacement->type &= ~cJSON_StringIsConst; 2361 2393 2362 2394 return cJSON_ReplaceItemViaPointer(object, get_object_item(object, string, case_sensitive), replacement); ··· 2689 2721 if (a && a->child) { 2690 2722 a->child->prev = n; 2691 2723 } 2692 - 2724 + 2693 2725 return a; 2694 2726 } 2695 2727 ··· 3107 3139 CJSON_PUBLIC(void) cJSON_free(void *object) 3108 3140 { 3109 3141 global_hooks.deallocate(object); 3142 + object = NULL; 3110 3143 }

+8 -1

src/external/cjson/cjson/cJSON.h

··· 81 81 /* project version */ 82 82 #define CJSON_VERSION_MAJOR 1 83 83 #define CJSON_VERSION_MINOR 7 84 - #define CJSON_VERSION_PATCH 15 84 + #define CJSON_VERSION_PATCH 18 85 85 86 86 #include <stddef.h> 87 87 ··· 278 278 #define cJSON_SetNumberValue(object, number) ((object != NULL) ? cJSON_SetNumberHelper(object, (double)number) : (number)) 279 279 /* Change the valuestring of a cJSON_String object, only takes effect when type of object is cJSON_String */ 280 280 CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring); 281 + 282 + /* If the object is not a boolean type this does nothing and returns cJSON_Invalid else it returns the new type*/ 283 + #define cJSON_SetBoolValue(object, boolValue) ( \ 284 + (object != NULL && ((object)->type & (cJSON_False|cJSON_True))) ? \ 285 + (object)->type=((object)->type &(~(cJSON_False|cJSON_True)))|((boolValue)?cJSON_True:cJSON_False) : \ 286 + cJSON_Invalid\ 287 + ) 281 288 282 289 /* Macro for iterating over an array or object */ 283 290 #define cJSON_ArrayForEach(element, array) for(element = (array != NULL) ? (array)->child : NULL; element != NULL; element = element->next)