From 78b632134f1597e4cc6498a7bb913c4f9b036caf Mon Sep 17 00:00:00 2001 From: DENG Qingfang Date: Thu, 18 Jun 2020 14:20:15 +0800 Subject: [PATCH] libjson-c: update to 0.14 Update libjson-c to 0.14 Changelog: https://github.com/json-c/json-c/wiki/Notes-for-v0.14-release Switch to CMake because the upstream build system was changed ipk size increased by 2KB Signed-off-by: DENG Qingfang --- package/libs/libjson-c/Makefile | 24 +-- package/libs/libjson-c/patches/000-libm.patch | 23 +-- .../patches/001-Fix-CVE-2020-12762.patch | 180 ++++++++++++++++++ ...list_del_idx-against-size_t-overflow.patch | 27 --- ...Prevent-division-by-zero-in-linkhash.patch | 32 ---- .../patches/003-Fix-integer-overflows.patch | 86 --------- ...e-backwards-check-in-lh_table_insert.patch | 29 --- 7 files changed, 191 insertions(+), 210 deletions(-) create mode 100644 package/libs/libjson-c/patches/001-Fix-CVE-2020-12762.patch delete mode 100644 package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch delete mode 100644 package/libs/libjson-c/patches/002-Prevent-division-by-zero-in-linkhash.patch delete mode 100644 package/libs/libjson-c/patches/003-Fix-integer-overflows.patch delete mode 100644 package/libs/libjson-c/patches/004-Issue-599-Fix-the-backwards-check-in-lh_table_insert.patch diff --git a/package/libs/libjson-c/Makefile b/package/libs/libjson-c/Makefile index f02518310a3e..5e88bba9a3fb 100644 --- a/package/libs/libjson-c/Makefile +++ b/package/libs/libjson-c/Makefile @@ -8,26 +8,25 @@ include $(TOPDIR)/rules.mk PKG_NAME:=json-c -PKG_VERSION:=0.13.1 -PKG_RELEASE:=2 +PKG_VERSION:=0.14 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-nodoc.tar.gz PKG_SOURCE_URL:=https://s3.amazonaws.com/json-c_releases/releases/ -PKG_HASH:=94a26340c0785fcff4f46ff38609cf84ebcd670df0c8efd75d039cc951d80132 -PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) -PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_SUBDIR) +PKG_HASH:=99914e644a25201d82ccefa20430f7515c110923360f9ef46755527c02412afa PKG_LICENSE:=MIT PKG_LICENSE_FILES:=COPYING PKG_CPE_ID:=cpe:/a:json-c_project:json-c -PKG_FIXUP:=autoreconf -PKG_INSTALL:=1 +CMAKE_INSTALL:=1 +CMAKE_OPTIONS += -DCMAKE_INSTALL_INCLUDEDIR=$(STAGING_DIR)/usr/include PKG_MAINTAINER:=Felix Fietkau include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/host-build.mk +include $(INCLUDE_DIR)/cmake.mk TARGET_CFLAGS += $(FPIC) -Wno-implicit-fallthrough HOST_CFLAGS += -Wno-implicit-fallthrough @@ -38,22 +37,13 @@ define Package/libjson-c CATEGORY:=Libraries TITLE:=javascript object notation URL:=https://json-c.github.io/json-c/ - ABI_VERSION:=4 + ABI_VERSION:=5 endef define Package/libjson-c/description This package contains a library for javascript object notation backends. endef -define Build/InstallDev - $(INSTALL_DIR) $(1)/usr/include - $(CP) $(PKG_INSTALL_DIR)/usr/include/json-c $(1)/usr/include/ - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libjson-c.{a,so*} $(1)/usr/lib/ - $(INSTALL_DIR) $(1)/usr/lib/pkgconfig - $(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/json-c.pc $(1)/usr/lib/pkgconfig/ -endef - define Package/libjson-c/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libjson-c.so.* $(1)/usr/lib/ diff --git a/package/libs/libjson-c/patches/000-libm.patch b/package/libs/libjson-c/patches/000-libm.patch index de98e35d4346..35ffec87243b 100644 --- a/package/libs/libjson-c/patches/000-libm.patch +++ b/package/libs/libjson-c/patches/000-libm.patch @@ -1,18 +1,3 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -76,12 +76,6 @@ AC_FUNC_VPRINTF - AC_FUNC_MEMCMP - AC_CHECK_FUNCS([realloc]) - AC_CHECK_FUNCS(strcasecmp strdup strerror snprintf vsnprintf vasprintf open vsyslog strncasecmp setlocale) --AC_CHECK_DECLS([INFINITY], [], [], [[#include ]]) --AC_CHECK_DECLS([nan], [], [], [[#include ]]) --AC_CHECK_DECLS([isnan], [], [], [[#include ]]) --AC_CHECK_DECLS([isinf], [], [], [[#include ]]) --AC_CHECK_DECLS([_isnan], [], [], [[#include ]]) --AC_CHECK_DECLS([_finite], [], [], [[#include ]]) - AC_MSG_CHECKING(for GCC atomic builtins) - AC_LINK_IFELSE( - [ --- a/math_compat.h +++ b/math_compat.h @@ -6,31 +6,9 @@ @@ -22,17 +7,17 @@ -/* Define isnan, isinf, infinity and nan on Windows/MSVC */ - -#ifndef HAVE_DECL_ISNAN --# ifdef HAVE_DECL__ISNAN +-#ifdef HAVE_DECL__ISNAN -#include -#define isnan(x) _isnan(x) --# endif +-#endif -#endif - -#ifndef HAVE_DECL_ISINF --# ifdef HAVE_DECL__FINITE +-#ifdef HAVE_DECL__FINITE -#include -#define isinf(x) (!_finite(x)) --# endif +-#endif -#endif - -#ifndef HAVE_DECL_INFINITY diff --git a/package/libs/libjson-c/patches/001-Fix-CVE-2020-12762.patch b/package/libs/libjson-c/patches/001-Fix-CVE-2020-12762.patch new file mode 100644 index 000000000000..3871d9992f53 --- /dev/null +++ b/package/libs/libjson-c/patches/001-Fix-CVE-2020-12762.patch @@ -0,0 +1,180 @@ +From 5d6fa331418d49f1bd488553fd1cfa9ab023fabb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= +Date: Thu, 14 May 2020 12:32:30 +0200 +Subject: [PATCH] Fix CVE-2020-12762. + +This commit is a squashed backport of the following commits +on the master branch: + + * 099016b7e8d70a6d5dd814e788bba08d33d48426 + * 77d935b7ae7871a1940cd827e850e6063044ec45 + * d07b91014986900a3a75f306d302e13e005e9d67 + * 519dfe1591d85432986f9762d41d1a883198c157 + * a59d5acfab4485d5133114df61785b1fc633e0c6 + * 26f080997d41cfdb17beab65e90c82217d0ac43b +--- + arraylist.c | 3 +++ + linkhash.c | 9 ++++++++- + printbuf.c | 18 ++++++++++++++++-- + tests/test4.c | 29 +++++++++++++++++++++++++++++ + tests/test4.expected | 1 + + 5 files changed, 57 insertions(+), 3 deletions(-) + +--- a/arraylist.c ++++ b/arraylist.c +@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list + { + size_t i, stop; + ++ /* Avoid overflow in calculation with large indices. */ ++ if (idx > SIZE_T_MAX - count) ++ return -1; + stop = idx + count; + if (idx >= arr->length || stop > arr->length) + return -1; +--- a/linkhash.c ++++ b/linkhash.c +@@ -12,6 +12,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, + int i; + struct lh_table *t; + ++ /* Allocate space for elements to avoid divisions by zero. */ ++ assert(size > 0); + t = (struct lh_table *)calloc(1, sizeof(struct lh_table)); + if (!t) + return NULL; +@@ -578,8 +581,12 @@ int lh_table_insert_w_hash(struct lh_tab + unsigned long n; + + if (t->count >= t->size * LH_LOAD_FACTOR) +- if (lh_table_resize(t, t->size * 2) != 0) ++ { ++ /* Avoid signed integer overflow with large tables. */ ++ int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2); ++ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) + return -1; ++ } + + n = h % t->size; + +--- a/printbuf.c ++++ b/printbuf.c +@@ -15,6 +15,7 @@ + + #include "config.h" + ++#include + #include + #include + #include +@@ -66,9 +67,16 @@ static int printbuf_extend(struct printb + if (p->size >= min_size) + return 0; + +- new_size = p->size * 2; +- if (new_size < min_size + 8) ++ /* Prevent signed integer overflows with large buffers. */ ++ if (min_size > INT_MAX - 8) ++ return -1; ++ if (p->size > INT_MAX / 2) + new_size = min_size + 8; ++ else { ++ new_size = p->size * 2; ++ if (new_size < min_size + 8) ++ new_size = min_size + 8; ++ } + #ifdef PRINTBUF_DEBUG + MC_DEBUG("printbuf_memappend: realloc " + "bpos=%d min_size=%d old_size=%d new_size=%d\n", +@@ -83,6 +91,9 @@ static int printbuf_extend(struct printb + + int printbuf_memappend(struct printbuf *p, const char *buf, int size) + { ++ /* Prevent signed integer overflows with large buffers. */ ++ if (size > INT_MAX - p->bpos - 1) ++ return -1; + if (p->size <= p->bpos + size + 1) + { + if (printbuf_extend(p, p->bpos + size + 1) < 0) +@@ -100,6 +111,9 @@ int printbuf_memset(struct printbuf *pb, + + if (offset == -1) + offset = pb->bpos; ++ /* Prevent signed integer overflows with large buffers. */ ++ if (len > INT_MAX - offset) ++ return -1; + size_needed = offset + len; + if (pb->size < size_needed) + { +--- a/tests/test4.c ++++ b/tests/test4.c +@@ -3,12 +3,15 @@ + */ + + #include "config.h" ++#include + #include ++#include + #include + + #include "json_inttypes.h" + #include "json_object.h" + #include "json_tokener.h" ++#include "snprintf_compat.h" + + void print_hex(const char *s) + { +@@ -24,6 +27,29 @@ void print_hex(const char *s) + putchar('\n'); + } + ++static void test_lot_of_adds(void); ++static void test_lot_of_adds() ++{ ++ int ii; ++ char key[50]; ++ json_object *jobj = json_object_new_object(); ++ assert(jobj != NULL); ++ for (ii = 0; ii < 500; ii++) ++ { ++ snprintf(key, sizeof(key), "k%d", ii); ++ json_object *iobj = json_object_new_int(ii); ++ assert(iobj != NULL); ++ if (json_object_object_add(jobj, key, iobj)) ++ { ++ fprintf(stderr, "FAILED to add object #%d\n", ii); ++ abort(); ++ } ++ } ++ printf("%s\n", json_object_to_json_string(jobj)); ++ assert(json_object_object_length(jobj) == 500); ++ json_object_put(jobj); ++} ++ + int main(void) + { + const char *input = "\"\\ud840\\udd26,\\ud840\\udd27,\\ud800\\udd26,\\ud800\\udd27\""; +@@ -52,5 +78,8 @@ int main(void) + retval = 1; + } + json_object_put(parse_result); ++ ++ test_lot_of_adds(); ++ + return retval; + } +--- a/tests/test4.expected ++++ b/tests/test4.expected +@@ -1,3 +1,4 @@ + input: "\ud840\udd26,\ud840\udd27,\ud800\udd26,\ud800\udd27" + JSON parse result is correct: 𠄦,𠄧,𐄦,𐄧 + PASS ++{ "k0": 0, "k1": 1, "k2": 2, "k3": 3, "k4": 4, "k5": 5, "k6": 6, "k7": 7, "k8": 8, "k9": 9, "k10": 10, "k11": 11, "k12": 12, "k13": 13, "k14": 14, "k15": 15, "k16": 16, "k17": 17, "k18": 18, "k19": 19, "k20": 20, "k21": 21, "k22": 22, "k23": 23, "k24": 24, "k25": 25, "k26": 26, "k27": 27, "k28": 28, "k29": 29, "k30": 30, "k31": 31, "k32": 32, "k33": 33, "k34": 34, "k35": 35, "k36": 36, "k37": 37, "k38": 38, "k39": 39, "k40": 40, "k41": 41, "k42": 42, "k43": 43, "k44": 44, "k45": 45, "k46": 46, "k47": 47, "k48": 48, "k49": 49, "k50": 50, "k51": 51, "k52": 52, "k53": 53, "k54": 54, "k55": 55, "k56": 56, "k57": 57, "k58": 58, "k59": 59, "k60": 60, "k61": 61, "k62": 62, "k63": 63, "k64": 64, "k65": 65, "k66": 66, "k67": 67, "k68": 68, "k69": 69, "k70": 70, "k71": 71, "k72": 72, "k73": 73, "k74": 74, "k75": 75, "k76": 76, "k77": 77, "k78": 78, "k79": 79, "k80": 80, "k81": 81, "k82": 82, "k83": 83, "k84": 84, "k85": 85, "k86": 86, "k87": 87, "k88": 88, "k89": 89, "k90": 90, "k91": 91, "k92": 92, "k93": 93, "k94": 94, "k95": 95, "k96": 96, "k97": 97, "k98": 98, "k99": 99, "k100": 100, "k101": 101, "k102": 102, "k103": 103, "k104": 104, "k105": 105, "k106": 106, "k107": 107, "k108": 108, "k109": 109, "k110": 110, "k111": 111, "k112": 112, "k113": 113, "k114": 114, "k115": 115, "k116": 116, "k117": 117, "k118": 118, "k119": 119, "k120": 120, "k121": 121, "k122": 122, "k123": 123, "k124": 124, "k125": 125, "k126": 126, "k127": 127, "k128": 128, "k129": 129, "k130": 130, "k131": 131, "k132": 132, "k133": 133, "k134": 134, "k135": 135, "k136": 136, "k137": 137, "k138": 138, "k139": 139, "k140": 140, "k141": 141, "k142": 142, "k143": 143, "k144": 144, "k145": 145, "k146": 146, "k147": 147, "k148": 148, "k149": 149, "k150": 150, "k151": 151, "k152": 152, "k153": 153, "k154": 154, "k155": 155, "k156": 156, "k157": 157, "k158": 158, "k159": 159, "k160": 160, "k161": 161, "k162": 162, "k163": 163, "k164": 164, "k165": 165, "k166": 166, "k167": 167, "k168": 168, "k169": 169, "k170": 170, "k171": 171, "k172": 172, "k173": 173, "k174": 174, "k175": 175, "k176": 176, "k177": 177, "k178": 178, "k179": 179, "k180": 180, "k181": 181, "k182": 182, "k183": 183, "k184": 184, "k185": 185, "k186": 186, "k187": 187, "k188": 188, "k189": 189, "k190": 190, "k191": 191, "k192": 192, "k193": 193, "k194": 194, "k195": 195, "k196": 196, "k197": 197, "k198": 198, "k199": 199, "k200": 200, "k201": 201, "k202": 202, "k203": 203, "k204": 204, "k205": 205, "k206": 206, "k207": 207, "k208": 208, "k209": 209, "k210": 210, "k211": 211, "k212": 212, "k213": 213, "k214": 214, "k215": 215, "k216": 216, "k217": 217, "k218": 218, "k219": 219, "k220": 220, "k221": 221, "k222": 222, "k223": 223, "k224": 224, "k225": 225, "k226": 226, "k227": 227, "k228": 228, "k229": 229, "k230": 230, "k231": 231, "k232": 232, "k233": 233, "k234": 234, "k235": 235, "k236": 236, "k237": 237, "k238": 238, "k239": 239, "k240": 240, "k241": 241, "k242": 242, "k243": 243, "k244": 244, "k245": 245, "k246": 246, "k247": 247, "k248": 248, "k249": 249, "k250": 250, "k251": 251, "k252": 252, "k253": 253, "k254": 254, "k255": 255, "k256": 256, "k257": 257, "k258": 258, "k259": 259, "k260": 260, "k261": 261, "k262": 262, "k263": 263, "k264": 264, "k265": 265, "k266": 266, "k267": 267, "k268": 268, "k269": 269, "k270": 270, "k271": 271, "k272": 272, "k273": 273, "k274": 274, "k275": 275, "k276": 276, "k277": 277, "k278": 278, "k279": 279, "k280": 280, "k281": 281, "k282": 282, "k283": 283, "k284": 284, "k285": 285, "k286": 286, "k287": 287, "k288": 288, "k289": 289, "k290": 290, "k291": 291, "k292": 292, "k293": 293, "k294": 294, "k295": 295, "k296": 296, "k297": 297, "k298": 298, "k299": 299, "k300": 300, "k301": 301, "k302": 302, "k303": 303, "k304": 304, "k305": 305, "k306": 306, "k307": 307, "k308": 308, "k309": 309, "k310": 310, "k311": 311, "k312": 312, "k313": 313, "k314": 314, "k315": 315, "k316": 316, "k317": 317, "k318": 318, "k319": 319, "k320": 320, "k321": 321, "k322": 322, "k323": 323, "k324": 324, "k325": 325, "k326": 326, "k327": 327, "k328": 328, "k329": 329, "k330": 330, "k331": 331, "k332": 332, "k333": 333, "k334": 334, "k335": 335, "k336": 336, "k337": 337, "k338": 338, "k339": 339, "k340": 340, "k341": 341, "k342": 342, "k343": 343, "k344": 344, "k345": 345, "k346": 346, "k347": 347, "k348": 348, "k349": 349, "k350": 350, "k351": 351, "k352": 352, "k353": 353, "k354": 354, "k355": 355, "k356": 356, "k357": 357, "k358": 358, "k359": 359, "k360": 360, "k361": 361, "k362": 362, "k363": 363, "k364": 364, "k365": 365, "k366": 366, "k367": 367, "k368": 368, "k369": 369, "k370": 370, "k371": 371, "k372": 372, "k373": 373, "k374": 374, "k375": 375, "k376": 376, "k377": 377, "k378": 378, "k379": 379, "k380": 380, "k381": 381, "k382": 382, "k383": 383, "k384": 384, "k385": 385, "k386": 386, "k387": 387, "k388": 388, "k389": 389, "k390": 390, "k391": 391, "k392": 392, "k393": 393, "k394": 394, "k395": 395, "k396": 396, "k397": 397, "k398": 398, "k399": 399, "k400": 400, "k401": 401, "k402": 402, "k403": 403, "k404": 404, "k405": 405, "k406": 406, "k407": 407, "k408": 408, "k409": 409, "k410": 410, "k411": 411, "k412": 412, "k413": 413, "k414": 414, "k415": 415, "k416": 416, "k417": 417, "k418": 418, "k419": 419, "k420": 420, "k421": 421, "k422": 422, "k423": 423, "k424": 424, "k425": 425, "k426": 426, "k427": 427, "k428": 428, "k429": 429, "k430": 430, "k431": 431, "k432": 432, "k433": 433, "k434": 434, "k435": 435, "k436": 436, "k437": 437, "k438": 438, "k439": 439, "k440": 440, "k441": 441, "k442": 442, "k443": 443, "k444": 444, "k445": 445, "k446": 446, "k447": 447, "k448": 448, "k449": 449, "k450": 450, "k451": 451, "k452": 452, "k453": 453, "k454": 454, "k455": 455, "k456": 456, "k457": 457, "k458": 458, "k459": 459, "k460": 460, "k461": 461, "k462": 462, "k463": 463, "k464": 464, "k465": 465, "k466": 466, "k467": 467, "k468": 468, "k469": 469, "k470": 470, "k471": 471, "k472": 472, "k473": 473, "k474": 474, "k475": 475, "k476": 476, "k477": 477, "k478": 478, "k479": 479, "k480": 480, "k481": 481, "k482": 482, "k483": 483, "k484": 484, "k485": 485, "k486": 486, "k487": 487, "k488": 488, "k489": 489, "k490": 490, "k491": 491, "k492": 492, "k493": 493, "k494": 494, "k495": 495, "k496": 496, "k497": 497, "k498": 498, "k499": 499 } diff --git a/package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch b/package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch deleted file mode 100644 index 456fbf35ff2e..000000000000 --- a/package/libs/libjson-c/patches/001-Protect-array_list_del_idx-against-size_t-overflow.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:41:16 +0200 -Subject: [PATCH 1/2] Protect array_list_del_idx against size_t overflow. - -If the assignment of stop overflows due to idx and count being -larger than SIZE_T_MAX in sum, out of boundary access could happen. - -It takes invalid usage of this function for this to happen, but -I decided to add this check so array_list_del_idx is as safe against -bad usage as the other arraylist functions. ---- - arraylist.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/arraylist.c -+++ b/arraylist.c -@@ -135,6 +135,9 @@ array_list_del_idx( struct array_list *a - { - size_t i, stop; - -+ /* Avoid overflow in calculation with large indices. */ -+ if (idx > SIZE_T_MAX - count) -+ return -1; - stop = idx + count; - if ( idx >= arr->length || stop > arr->length ) return -1; - for ( i = idx; i < stop; ++i ) { diff --git a/package/libs/libjson-c/patches/002-Prevent-division-by-zero-in-linkhash.patch b/package/libs/libjson-c/patches/002-Prevent-division-by-zero-in-linkhash.patch deleted file mode 100644 index d37fe5857bd7..000000000000 --- a/package/libs/libjson-c/patches/002-Prevent-division-by-zero-in-linkhash.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:46:45 +0200 -Subject: [PATCH 2/2] Prevent division by zero in linkhash. - -If a linkhash with a size of zero is created, then modulo operations -are prone to division by zero operations. - -Purely protective measure against bad usage. ---- - linkhash.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/linkhash.c -+++ b/linkhash.c -@@ -12,6 +12,7 @@ - - #include "config.h" - -+#include - #include - #include - #include -@@ -498,6 +499,8 @@ struct lh_table* lh_table_new(int size, - int i; - struct lh_table *t; - -+ /* Allocate space for elements to avoid divisions by zero. */ -+ assert(size > 0); - t = (struct lh_table*)calloc(1, sizeof(struct lh_table)); - if (!t) - return NULL; diff --git a/package/libs/libjson-c/patches/003-Fix-integer-overflows.patch b/package/libs/libjson-c/patches/003-Fix-integer-overflows.patch deleted file mode 100644 index 2fac62df5932..000000000000 --- a/package/libs/libjson-c/patches/003-Fix-integer-overflows.patch +++ /dev/null @@ -1,86 +0,0 @@ -From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001 -From: Tobias Stoeckmann -Date: Mon, 4 May 2020 19:47:25 +0200 -Subject: [PATCH] Fix integer overflows. - -The data structures linkhash and printbuf are limited to 2 GB in size -due to a signed integer being used to track their current size. - -If too much data is added, then size variable can overflow, which is -an undefined behaviour in C programming language. - -Assuming that a signed int overflow just leads to a negative value, -like it happens on many sytems (Linux i686/amd64 with gcc), then -printbuf is vulnerable to an out of boundary write on 64 bit systems. ---- - linkhash.c | 7 +++++-- - printbuf.c | 19 ++++++++++++++++--- - 2 files changed, 21 insertions(+), 5 deletions(-) - ---- a/linkhash.c -+++ b/linkhash.c -@@ -579,9 +579,12 @@ int lh_table_insert_w_hash(struct lh_tab - { - unsigned long n; - -- if (t->count >= t->size * LH_LOAD_FACTOR) -- if (lh_table_resize(t, t->size * 2) != 0) -+ if (t->count >= t->size * LH_LOAD_FACTOR) { -+ /* Avoid signed integer overflow with large tables. */ -+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX; -+ if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) - return -1; -+ } - - n = h % t->size; - ---- a/printbuf.c -+++ b/printbuf.c -@@ -15,6 +15,7 @@ - - #include "config.h" - -+#include - #include - #include - #include -@@ -65,9 +66,16 @@ static int printbuf_extend(struct printb - if (p->size >= min_size) - return 0; - -- new_size = p->size * 2; -- if (new_size < min_size + 8) -- new_size = min_size + 8; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (min_size > INT_MAX - 8) -+ return -1; -+ if (p->size > INT_MAX / 2) -+ new_size = min_size + 8; -+ else { -+ new_size = p->size * 2; -+ if (new_size < min_size + 8) -+ new_size = min_size + 8; -+ } - #ifdef PRINTBUF_DEBUG - MC_DEBUG("printbuf_memappend: realloc " - "bpos=%d min_size=%d old_size=%d new_size=%d\n", -@@ -82,6 +90,9 @@ static int printbuf_extend(struct printb - - int printbuf_memappend(struct printbuf *p, const char *buf, int size) - { -+ /* Prevent signed integer overflows with large buffers. */ -+ if (size > INT_MAX - p->bpos - 1) -+ return -1; - if (p->size <= p->bpos + size + 1) { - if (printbuf_extend(p, p->bpos + size + 1) < 0) - return -1; -@@ -98,6 +109,9 @@ int printbuf_memset(struct printbuf *pb, - - if (offset == -1) - offset = pb->bpos; -+ /* Prevent signed integer overflows with large buffers. */ -+ if (len > INT_MAX - offset) -+ return -1; - size_needed = offset + len; - if (pb->size < size_needed) - { diff --git a/package/libs/libjson-c/patches/004-Issue-599-Fix-the-backwards-check-in-lh_table_insert.patch b/package/libs/libjson-c/patches/004-Issue-599-Fix-the-backwards-check-in-lh_table_insert.patch deleted file mode 100644 index aed6918e7080..000000000000 --- a/package/libs/libjson-c/patches/004-Issue-599-Fix-the-backwards-check-in-lh_table_insert.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 519dfe1591d85432986f9762d41d1a883198c157 Mon Sep 17 00:00:00 2001 -From: Eric Haszlakiewicz -Date: Sun, 10 May 2020 03:32:19 +0000 -Subject: [PATCH] Issue #599: Fix the backwards check in - lh_table_insert_w_hash() that was preventing adding more than 11 objects. Add - a test to check for this too. - ---- - linkhash.c | 2 +- - tests/test4.c | 29 +++++++++++++++++++++++++++++ - tests/test4.expected | 1 + - 3 files changed, 31 insertions(+), 1 deletion(-) - -diff --git a/linkhash.c b/linkhash.c -index 51e90b1..f930efd 100644 ---- a/linkhash.c -+++ b/linkhash.c -@@ -582,7 +582,7 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con - - if (t->count >= t->size * LH_LOAD_FACTOR) { - /* Avoid signed integer overflow with large tables. */ -- int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX; -+ int new_size = (t->size > INT_MAX / 2) ? INT_MAX : (t->size * 2); - if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0) - return -1; - } --- -2.26.2 - -- 2.30.2