]>
granicus.if.org Git - json-c/log
Eric Hawicz [Sat, 16 May 2020 01:05:30 +0000 (21:05 -0400)]
Merge pull request #611 from besser82/topic/besser82/json-c-0.12/CVE-2020-12762
json-c-0.12.x: Fix CVE-2020-12762 - json-c through 0.14 has an integer overflow and out-of-bounds write ...
Björn Esser [Fri, 15 May 2020 18:38:40 +0000 (20:38 +0200)]
Fix CVE-2020-12762.
This commit is a squashed and slightly modified backport
of the following commits on the master branch:
*
77d935b
*
d07b910
*
519dfe1
*
a59d5ac
Eric Haszlakiewicz [Mon, 27 Nov 2017 04:31:00 +0000 (23:31 -0500)]
Adjust the "-Infinity" fix on the json-c-0.12 branch to match the master branch.
Eric Haszlakiewicz [Mon, 27 Nov 2017 04:16:54 +0000 (23:16 -0500)]
Note a hack that's needed when building from the json-c-0.12 git branch (vs a release tarball) to prevent the dependency handling from trying to run automake.
Eric Haszlakiewicz [Mon, 27 Nov 2017 04:26:37 +0000 (23:26 -0500)]
Merge pull request #372 from jlguardi/json-c-0.12
Json-c 0.12: Fixed Infinity bug
Jlguardi [Fri, 3 Nov 2017 08:55:39 +0000 (09:55 +0100)]
Fixed #371: -Infinity correctly parsed after other Infinity
Jlguardi [Fri, 3 Nov 2017 08:51:16 +0000 (09:51 +0100)]
Improved testing for Infinity
Jlguardi [Fri, 3 Nov 2017 08:32:33 +0000 (09:32 +0100)]
Fixed testReplaceExisting compilation error
Eric Haszlakiewicz [Wed, 4 Oct 2017 22:19:40 +0000 (18:19 -0400)]
Merge pull request #365 from mbehr1/json-c-0.12
added fallthrough for gcc7
Matthias Behr [Tue, 3 Oct 2017 07:26:59 +0000 (09:26 +0200)]
added fallthrough for gcc7
Eric Haszlakiewicz [Tue, 7 Jun 2016 04:05:03 +0000 (04:05 +0000)]
Add doxygen-generated docs for the 0.12.1 release.
Eric Haszlakiewicz [Tue, 7 Jun 2016 03:37:31 +0000 (03:37 +0000)]
Update release version to 0.12.1 and generate configure script.
Eric Haszlakiewicz [Sat, 9 May 2015 01:20:54 +0000 (21:20 -0400)]
Merge pull request #177 from cryogen/json-c-0.12
Fix compiler warnings
Stuart Walsh [Tue, 31 Mar 2015 11:23:03 +0000 (12:23 +0100)]
Fix uninitialised variable compile warning, and also fix unused-when-used warning
Petar Koretić [Fri, 11 Apr 2014 08:03:40 +0000 (10:03 +0200)]
Remove unused variable 'size'
Eric Haszlakiewicz [Fri, 11 Apr 2014 02:35:45 +0000 (22:35 -0400)]
Add doxygen-generated docs for the 0.12 release.
Eric Haszlakiewicz [Fri, 11 Apr 2014 02:03:03 +0000 (22:03 -0400)]
Bump the version numbers for the 0.12 release.
Eric Haszlakiewicz [Fri, 11 Apr 2014 02:02:36 +0000 (22:02 -0400)]
Add automake/autoconf generated files for the 0.12 release.
Eric Haszlakiewicz [Fri, 11 Apr 2014 01:07:20 +0000 (21:07 -0400)]
Update the ChangeLog with the changes for the 0.12 release.
Bump the version in the release checklist.
Michael Clark [Wed, 9 Apr 2014 05:48:21 +0000 (13:48 +0800)]
Patch to address the following issues:
* CVE-2013-6371: hash collision denial of service
* CVE-2013-6370: buffer overflow if size_t is larger than int
Eric Haszlakiewicz [Sun, 23 Mar 2014 01:48:34 +0000 (21:48 -0400)]
Eliminate the deprecated mc_abort() function and MC_ABORT macro.
Eric Haszlakiewicz [Sun, 23 Mar 2014 01:41:24 +0000 (21:41 -0400)]
Make the json_tokener_errors array local. It has been deprecated for a while, and json_tokener_error_desc() should be used instead.
Eric Haszlakiewicz [Sun, 23 Mar 2014 01:40:37 +0000 (21:40 -0400)]
Simplify the tests Makefile to avoid repeating the name of each test.
Eric Haszlakiewicz [Sun, 23 Mar 2014 01:15:41 +0000 (21:15 -0400)]
Rename the "test_case" test to "test_charcase" to make it slightly less confusing.
Eric Haszlakiewicz [Sat, 22 Mar 2014 23:15:01 +0000 (19:15 -0400)]
Fix warnings from autoconf about "...no AC_LANG_SOURCE call detected..." by adding that call within the AC_LINK_IFELSE call.
Eric Haszlakiewicz [Sat, 22 Mar 2014 21:28:40 +0000 (17:28 -0400)]
Issue #103: allow Infinity and -Infinity to be parsed.
Eric Haszlakiewicz [Sat, 22 Mar 2014 17:39:36 +0000 (13:39 -0400)]
Merge pull request #123 from fingon/use-NAN-if-available
nan function requires -lm on some platforms - use of NAN is better, if available
Markus Stenberg [Tue, 18 Mar 2014 14:29:49 +0000 (16:29 +0200)]
nan function requires -lm on some platforms; use of NAN is better, if available.
Eric Haszlakiewicz [Sun, 9 Mar 2014 20:41:33 +0000 (16:41 -0400)]
Issue#102 - add support for parsing "NaN".
Eric Haszlakiewicz [Sun, 2 Mar 2014 17:16:37 +0000 (12:16 -0500)]
Issue#114: check for the presence of isnan and isinf, and provide compat macros on MSCV where _isnan and _finite exist instead.
Eric Haszlakiewicz [Wed, 12 Feb 2014 18:37:17 +0000 (13:37 -0500)]
Merge pull request #121 from TazeTSchnitzel/LowercaseLiterals
Missing lowercase literals test
Andrea Faulds [Wed, 12 Feb 2014 09:52:25 +0000 (09:52 +0000)]
Merge branch 'master' into LowercaseLiterals
Andrea Faulds [Wed, 12 Feb 2014 09:51:51 +0000 (09:51 +0000)]
Missing tests
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:57:24 +0000 (23:57 -0500)]
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:21:50 +0000 (23:21 -0500)]
Merge pull request #112 from TazeTSchnitzel/LowercaseLiterals
Only allow lowercase literals in STRICT mode
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:16:53 +0000 (23:16 -0500)]
Fix Issue #111: Fix off-by-one error when range checking the input to json_tokener_error_desc().
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:13:19 +0000 (23:13 -0500)]
Merge pull request #109 from kdopen/use_strtod
Avoid potential overflow in json_object_get_double
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:06:19 +0000 (23:06 -0500)]
Merge branch 'ebassi-master'
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:05:54 +0000 (23:05 -0500)]
Merge branch 'master' of https://github.com/ebassi/json-c into ebassi-master
Conflicts:
Makefile.am
Eric Haszlakiewicz [Wed, 12 Feb 2014 04:03:46 +0000 (23:03 -0500)]
Ignore and cleanup a few more files that automake creates.
Eric Haszlakiewicz [Wed, 12 Feb 2014 03:55:52 +0000 (22:55 -0500)]
Issue#105: Rename configure.in to configure.ac
Eric Haszlakiewicz [Wed, 12 Feb 2014 03:49:59 +0000 (22:49 -0500)]
Remove the old libjson.so name compatibility support. The library is only created as libjson-c.so now and headers are only installed into the ${prefix}/json-c directory.
Ross Burton [Mon, 18 Nov 2013 16:25:14 +0000 (16:25 +0000)]
build: call AM_PROG_CC_C_O as requested by autoreconf
Andrea Faulds [Thu, 14 Nov 2013 21:13:32 +0000 (21:13 +0000)]
Only allow lowercase literals in STRICT mode
Keith Derrick [Tue, 1 Oct 2013 16:18:51 +0000 (09:18 -0700)]
Avoid potential overflow in json_object_get_double
sscanf is always a potential problem when converting numeric
values as it does not correctly handle over- and underflow
(or at least gives no indication that it has done so).
This change converts json_object_get_double() to use strtod()
according to CERT guidelines.
Emmanuele Bassi [Tue, 17 Sep 2013 12:08:14 +0000 (13:08 +0100)]
Add a check for the -Bsymbolic-functions linker flag
The -Bsymbolic-functions linker flag reduces the amount of PLT jumps in
a shared object, and has a side effect of preventing symbol collisions
in libraries and applications linking against two different shared
objects exposing the same symbol.
While the former is (generally) a performance win, the latter is less
rare than expected. For instance, PulseAudio started linking against
json-c a while ago; now, every project linking against PulseAudio is
leaking json-c symbols. In the GNOME platform, this means that projects
linking against PulseAudio cannot be safely linked against other
libraries depending on the GLib-based JSON parsing libraries JSON-GLib,
because of a symbol conflict. Nominally, this conflict would not be an
issue: libraries and applications do not need to depend on two different
JSON parsing libraries; the symbol leakage, though, ends up causing
either segmentation faults, or weird errors. For further reference,
please see: https://bugzilla.gnome.org/show_bug.cgi?id=703734
JSON-GLib already switched to using -Bsymbolic-functions, but it would
be safe if json-c did the same, wherever the linker flag is available.
Eric Haszlakiewicz [Thu, 12 Sep 2013 02:09:43 +0000 (21:09 -0500)]
Issue #59: change the floating point output format to %.17g so values with more than 6 digits show up in the output.
Eric Haszlakiewicz [Thu, 12 Sep 2013 01:28:56 +0000 (20:28 -0500)]
Use sizeof instead of hard coded values when calling snprintf.
Eric Haszlakiewicz [Thu, 12 Sep 2013 01:27:39 +0000 (20:27 -0500)]
Added a json_object_new_double_s() convenience function to allow an exact string representation of a double to be specified when creating the object and use it in json_tokener_parse_ex() so a re-serialized object more exactly matches the input.
Add json_object_free_userdata() and json_object_userdata_to_json_string() too.
Eric Haszlakiewicz [Sun, 8 Sep 2013 22:30:54 +0000 (17:30 -0500)]
Ignore the test-driver script that is now created, and the script for the test_locale test.
Eric Haszlakiewicz [Sun, 8 Sep 2013 22:23:24 +0000 (17:23 -0500)]
The updated test driver creates .log and .trs files; ignore them.
Eric Haszlakiewicz [Sun, 8 Sep 2013 22:21:52 +0000 (17:21 -0500)]
strndup is gone, remove it from the README file.
Eric Haszlakiewicz [Sun, 8 Sep 2013 20:36:40 +0000 (13:36 -0700)]
Merge pull request #97 from pascal-bach/master
Add const qualifiers to json_object_to_file and json_object_to_file_ext
Eric Haszlakiewicz [Sun, 8 Sep 2013 20:35:28 +0000 (13:35 -0700)]
Merge pull request #96 from rouault/remove_strdnup
Remove redefinition of strndup() which is no longer used in the codebase
Eric Haszlakiewicz [Sun, 8 Sep 2013 20:33:22 +0000 (13:33 -0700)]
Merge pull request #95 from rouault/extern_json_object_set_serializer
Add extern to json_object_set_serializer so that it gets exported (Windows fix)
Eric Haszlakiewicz [Sun, 8 Sep 2013 20:29:05 +0000 (13:29 -0700)]
Merge pull request #94 from remicollet/issue-strict2
more strictness
Eric Haszlakiewicz [Sun, 8 Sep 2013 20:26:56 +0000 (13:26 -0700)]
Merge pull request #93 from tmielika/master
fixing problem that isinf(-Inf) can be 1 or -1
Eric Haszlakiewicz [Sun, 8 Sep 2013 20:20:08 +0000 (13:20 -0700)]
Merge pull request #104 from rouault/fix_json_tokener_error_desc_out_of_bounds_read
Fix potential out-of-bounds read in json_tokener_error_desc
Even Rouault [Sun, 8 Sep 2013 09:31:38 +0000 (11:31 +0200)]
Fix potential out-of-bounds read in json_tokener_error_desc
Found by Coverity. The number of elements of an array 'ar' is found by
sizeof(ar)/sizeof(ar[0]) and not sizeof(ar)
76const char *json_tokener_error_desc(enum json_tokener_error jerr)
77{
78 int jerr_int = (int)jerr;
1. Condition "jerr_int < 0", taking false branch
2. Condition "jerr_int > 112 /* (int)sizeof (gdal_json_tokener_errors) */", taking false branch
79 if (jerr_int < 0 || jerr_int > (int)sizeof(json_tokener_errors))
80 return "Unknown error, invalid json_tokener_error value passed to json_tokener_error_desc()";
CID
1076806 (#1 of 1): Out-of-bounds read (OVERRUN)3. overrun-local: Overrunning array "gdal_json_tokener_errors" of 14 8-byte elements at element index 112 (byte offset 896) using index "jerr" (which evaluates to 112).
81 return json_tokener_errors[jerr];
82}
Remi Collet [Fri, 23 Aug 2013 11:40:01 +0000 (13:40 +0200)]
trailing char not allowed in strict mode
Remi Collet [Wed, 21 Aug 2013 13:41:40 +0000 (15:41 +0200)]
no comment in strict mode
Pascal Bach [Tue, 13 Aug 2013 16:24:23 +0000 (18:24 +0200)]
Update json_util
filename should be passed as const char* to functions
json_object_to_file and json_object_to_file
Even Rouault [Mon, 12 Aug 2013 18:49:19 +0000 (20:49 +0200)]
Remove redefinition of strndup() which is no longer used in the codebase
Even Rouault [Sat, 10 Aug 2013 23:18:17 +0000 (01:18 +0200)]
Add extern to json_object_set_serializer so that it gets exported (Windows fix)
Remi Collet [Tue, 6 Aug 2013 08:41:14 +0000 (10:41 +0200)]
no single-quote string in strict mode
Taneli Mielikainen [Sat, 3 Aug 2013 21:21:58 +0000 (00:21 +0300)]
fixing problem that isinf(-Inf) can be 1 or -1
Eric Haszlakiewicz [Sat, 29 Jun 2013 20:31:18 +0000 (15:31 -0500)]
Eliminate use of MC_ABORT in json-c code, and mark MC_ABORT/mc_abort deprecated.
Also adjust an error message in json_util to make it unique. Fixes #87.
Eric Haszlakiewicz [Sat, 29 Jun 2013 20:21:04 +0000 (15:21 -0500)]
Issue#84: explicitly remove old headers and include/json directory so creating the compat symlink can work.
Eric Haszlakiewicz [Mon, 24 Jun 2013 00:12:14 +0000 (19:12 -0500)]
Fix the _MSC_VER check so it compiles on non-windows compilers. Issue#91
Eric Haszlakiewicz [Sun, 23 Jun 2013 23:55:02 +0000 (18:55 -0500)]
Mention that libtoolize is needed if you're not using a release tarball.
Eric Haszlakiewicz [Wed, 19 Jun 2013 14:14:19 +0000 (09:14 -0500)]
Minor spell check.
Eric Haszlakiewicz [Wed, 19 Jun 2013 14:13:21 +0000 (07:13 -0700)]
Merge pull request #90 from remicollet/issue-strict
in strick mode, number must not start with 0
Eric Haszlakiewicz [Wed, 19 Jun 2013 04:18:27 +0000 (21:18 -0700)]
Merge pull request #89 from ayanes/master
Support NaN and Infinity
Eric Haszlakiewicz [Wed, 19 Jun 2013 04:16:04 +0000 (21:16 -0700)]
Merge pull request #88 from weltling/master
Several MSVC fixes
Remi Collet [Thu, 13 Jun 2013 11:40:01 +0000 (13:40 +0200)]
in strick mode, number must not start with 0
Adrian Yanes [Fri, 7 Jun 2013 20:14:54 +0000 (13:14 -0700)]
Fixes for Infinity and NaN
Although JSON RFC does not support NaN or Infinity
as numeric values ECMA 262 section 9.8.1 defines
how to handle these cases as strings
Anatol Belski [Tue, 4 Jun 2013 18:18:28 +0000 (20:18 +0200)]
Fix C89 compat needed by MSVC
Anatol Belski [Tue, 4 Jun 2013 18:18:05 +0000 (20:18 +0200)]
snprintf definition is needed here, too
Anatol Belski [Tue, 4 Jun 2013 18:17:12 +0000 (20:17 +0200)]
fixe int32_t definition for VC11
int32_t is nowhere in msvc, so the version check could be even removed
Eric Haszlakiewicz [Tue, 30 Apr 2013 14:47:19 +0000 (09:47 -0500)]
Issue #76: use old style comment to allow json_object_iterator.h to build in ansi mode.
Eric Haszlakiewicz [Wed, 3 Apr 2013 02:36:28 +0000 (21:36 -0500)]
Fill in the instructions for update the gh-pages branch.
Eric Haszlakiewicz [Wed, 3 Apr 2013 02:22:59 +0000 (21:22 -0500)]
Bump the versions for the non-release branch; add a placeholder section to the change log.
Eric Haszlakiewicz [Wed, 3 Apr 2013 02:21:38 +0000 (21:21 -0500)]
Fill in a number of missing steps in the release process.
Eric Haszlakiewicz [Mon, 1 Apr 2013 01:58:54 +0000 (20:58 -0500)]
Merge branch 'master' of https://github.com/json-c/json-c
Eric Haszlakiewicz [Mon, 1 Apr 2013 01:58:30 +0000 (20:58 -0500)]
Bump up the version in the release checklist to 0.11
Eric Haszlakiewicz [Mon, 1 Apr 2013 01:57:08 +0000 (20:57 -0500)]
Update the changelog with changes since the 0.10 release.
Eric Haszlakiewicz [Mon, 1 Apr 2013 01:34:28 +0000 (20:34 -0500)]
Update config.h.in to add the HAVE_SETLOCALE and HAVE_LOCALE_H lines.
Eric Haszlakiewicz [Mon, 1 Apr 2013 01:05:36 +0000 (20:05 -0500)]
Issue #15: add a way to set a JSON_TOKENER_STRICT flag to forbid commas at the end of arrays and objects.
Eric Haszlakiewicz [Sun, 24 Mar 2013 00:06:03 +0000 (17:06 -0700)]
Merge pull request #73 from ghazel/master
one definition of json_object_object_foreach only works on c99 and later
Greg Hazel [Tue, 19 Mar 2013 23:26:12 +0000 (16:26 -0700)]
one definition of json_object_object_foreach only works on c99 and later
Eric Haszlakiewicz [Sat, 16 Mar 2013 04:19:48 +0000 (21:19 -0700)]
Merge pull request #71 from WillDignazio/master
Fix Broken Build, Check ADVANCE_CHAR
William Dignazio [Thu, 7 Mar 2013 01:18:14 +0000 (20:18 -0500)]
Fix broken build by using ADVANCE_CHAR macro return.
We forget to check or use the return value of the ADVANCE_CHAR macro,
and upon compilation an error is thrown because of its lack of use. This
patch checks to see if the macro was successful, and if not replaces the
offending character with a replacement.
William Dignazio [Wed, 6 Mar 2013 17:29:33 +0000 (12:29 -0500)]
Rename misnomer POP_CHAR to PEEK_CHAR.
While parsing token data, we use the POP_CHAR macro to 'peek' at
character data. This behaviour is noted in the comments for the macro,
yet the definition is left as 'pop'. Changing to PEEK_CHAR does not
imply that the character being observed is removed.
Eric Haszlakiewicz [Mon, 4 Mar 2013 04:34:34 +0000 (20:34 -0800)]
Merge pull request #70 from tg--/master
rename AM_CONFIG_HEADER to AC_CONFIG_HEADER
Eric Haszlakiewicz [Mon, 4 Mar 2013 04:26:28 +0000 (22:26 -0600)]
Issue #68: use -std=gnu99 because some versions of gcc seem to think that -std=c99 also implies -ansi, which causes warnings and build breakage.
Thomas Gstädtner [Sat, 2 Mar 2013 23:17:25 +0000 (00:17 +0100)]
configure.in: mv AM_CONFIG_HEADER to AC_CONFIG_HEADER
the former has been deprecated and does not work on newer autoconf
versions.
Eric Haszlakiewicz [Wed, 27 Feb 2013 03:14:07 +0000 (21:14 -0600)]
Include the test_locale test in the tests that run.
Eric Haszlakiewicz [Wed, 27 Feb 2013 03:09:10 +0000 (21:09 -0600)]
Merge branch 'remicollet-issue-float'
Conflicts:
json_util.c
Eric Haszlakiewicz [Thu, 21 Feb 2013 18:32:29 +0000 (12:32 -0600)]
Mark the "val" variable in json_object_object_foreach as unused so the compiler doesn't complain. Fix warnings in the testReplaceExisting test.
Eric Haszlakiewicz [Sat, 9 Feb 2013 23:35:33 +0000 (17:35 -0600)]
Add a runtime check to see if parse_int64 needs to workaround sscanf bugs. If that workaround is not needed parsing is nearly twice as fast.