Release version 1.5.7

If realloc returns NULL, ensure didn't abort but returned
printbuffer.offset instead. If an attacker can control
printbuffer.offset and also make realloc fail at just the right moment,
this would make cJSON potentially write at an arbitrary memory address.

CHANGELOG.md

@@ -1,3 +1,10 @@
+1.5.7
+=====
+Fixes:
+------
+* Fix a bug where realloc failing would return a pointer to an invalid memory address. This is a security issue as it could potentially be used by an attacker to write to arbitrary memory addresses. (see #189), fixed in (954d61e5e7cb9dc6c480fc28ac1cdceca07dd5bd), big thanks @timothyjohncarney for reporting this issue
+* Fix a spelling mistake in the AFL fuzzer dictionary (#185), thanks @jwilk
+
 1.5.6
 =====
 Fixes:

CMakeLists.txt

@@ -7,7 +7,7 @@ project(cJSON C)
 
 set(PROJECT_VERSION_MAJOR 1)
 set(PROJECT_VERSION_MINOR 5)
-set(PROJECT_VERSION_PATCH 6)
+set(PROJECT_VERSION_PATCH 7)
 set(CJSON_VERSION_SO 1)
 set(CJSON_UTILS_VERSION_SO 1)
 set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}.${PROJECT_VERSION_PATCH}")

CONTRIBUTORS.md

@@ -15,6 +15,7 @@ Contributors
 * Ian Mobley
 * Irwan Djadjadi
 * [IvanVoid](https://github.com/npi3pak)
+* [Jakub Wilk](https://github.com/jwilk)
 * [Jiri Zouhar](https://github.com/loigu)
 * [Jonathan Fether](https://github.com/jfether)
 * [Julián Vásquez](https://github.com/juvasquezg)

Makefile

@@ -8,7 +8,7 @@ CJSON_TEST_SRC = cJSON.c test.c
 
 LDLIBS = -lm
 
-LIBVERSION = 1.5.6
+LIBVERSION = 1.5.7
 CJSON_SOVERSION = 1
 UTILS_SOVERSION = 1
 

cJSON.c

@@ -58,7 +58,7 @@ CJSON_PUBLIC(const char *) cJSON_GetErrorPtr(void)
 }
 
 /* This is a safeguard to prevent copy-pasters from using incompatible C and header files */
-#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 5) || (CJSON_VERSION_PATCH != 6)
+#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 5) || (CJSON_VERSION_PATCH != 7)
     #error cJSON.h and cJSON.c have different versions. Make sure that both have the same.
 #endif
 
@@ -377,6 +377,14 @@ static unsigned char* ensure(printbuffer * const p, size_t needed)
     {
         /* reallocate with realloc if available */
         newbuffer = (unsigned char*)p->hooks.reallocate(p->buffer, newsize);
+        if (newbuffer == NULL)
+        {
+            p->hooks.deallocate(p->buffer);
+            p->length = 0;
+            p->buffer = NULL;
+
+            return NULL;
+        }
     }
     else
     {

cJSON.h

@@ -31,7 +31,7 @@ extern "C"
 /* project version */
 #define CJSON_VERSION_MAJOR 1
 #define CJSON_VERSION_MINOR 5
-#define CJSON_VERSION_PATCH 6
+#define CJSON_VERSION_PATCH 7
 
 #include <stddef.h>
 

fuzzing/json.dict

@@ -25,8 +25,8 @@ escape_sequence_r="\\r"
 escape_sequence_t="\\t"
 escape_sequence_quote="\\\""
 escape_sequence_backslash="\\\\"
-escapce_sequence_slash="\\/"
-escpae_sequence_utf16_base="\\u"
+escape_sequence_slash="\\/"
+escape_sequence_utf16_base="\\u"
 escape_sequence_utf16="\\u12ab"
 
 number_integer="1"

tests/misc_tests.c

@@ -410,6 +410,22 @@ static void cjson_functions_shouldnt_crash_with_null_pointers(void)
     cJSON_Delete(item);
 }
 
+static void *failing_realloc(void *pointer, size_t size)
+{
+    (void)size;
+    (void)pointer;
+    return NULL;
+}
+
+static void ensure_should_fail_on_failed_realloc(void)
+{
+    printbuffer buffer = {NULL, 10, 0, 0, false, false, {&malloc, &free, &failing_realloc}};
+    buffer.buffer = (unsigned char*)malloc(100);
+    TEST_ASSERT_NOT_NULL(buffer.buffer);
+
+    TEST_ASSERT_NULL_MESSAGE(ensure(&buffer, 200), "Ensure didn't fail with failing realloc.");
+}
+
 int main(void)
 {
     UNITY_BEGIN();
@@ -425,6 +441,6 @@ int main(void)
     RUN_TEST(cjson_replace_item_via_pointer_should_replace_items);
     RUN_TEST(cjson_replace_item_in_object_should_preserve_name);
     RUN_TEST(cjson_functions_shouldnt_crash_with_null_pointers);
-
+    RUN_TEST(ensure_should_fail_on_failed_realloc);
     return UNITY_END();
 }