Release cJSON v1.7.7

Thanks @AlfieDeng for reporting

CHANGELOG.md

@@ -1,3 +1,39 @@
+1.7.7
+=====
+Fixes:
+------
+* Fix a memory leak when realloc fails (see #267), thanks @AlfieDeng for reporting
+* Fix a typo in the header file (see #266), thanks @zhaozhixu
+
+1.7.6
+=====
+Fixes:
+------
+* Add `SONAME` to the ELF files built by the Makefile (see #252), thanks @YanhaoMo for reporting
+* Add include guards and `extern "C"` to `cJSON_Utils.h` (see #256), thanks @daschfg for reporting
+
+Other changes:
+--------------
+* Mark the Makefile as deprecated in the README.
+
+1.7.5
+=====
+Fixes:
+------
+* Fix a bug in the JSON Patch implementation of `cJSON Utils` (see #251), thanks @bobkocisko.
+
+1.7.4
+=====
+Fixes:
+------
+* Fix potential use after free if the `string` parameter to `cJSON_AddItemToObject` is an alias of the `string` property of the object that is added (#248). Thanks @hhallen for reporting.
+
+1.7.3
+=====
+Fixes:
+------
+* Fix potential double free, thanks @projectgus for reporting (see #241)
+
 1.7.2
 =====
 Fixes:

CMakeLists.txt

@@ -7,7 +7,7 @@ include(GNUInstallDirs)
 
 set(PROJECT_VERSION_MAJOR 1)
 set(PROJECT_VERSION_MINOR 7)
-set(PROJECT_VERSION_PATCH 2)
+set(PROJECT_VERSION_PATCH 7)
 set(CJSON_VERSION_SO 1)
 set(CJSON_UTILS_VERSION_SO 1)
 set(PROJECT_VERSION "${PROJECT_VERSION_MAJOR}.${PROJECT_VERSION_MINOR}.${PROJECT_VERSION_PATCH}")

CONTRIBUTORS.md

@@ -7,6 +7,7 @@ Current Maintainer: [Max Bruckner](https://github.com/FSMaxB)
 * [Ajay Bhargav](https://github.com/ajaybhargav)
 * [Alper Akcan](https://github.com/alperakcan)
 * [Anton Sergeev](https://github.com/anton-sergeev)
+* [Bob Kocisko](https://github.com/bobkocisko)
 * [Christian Schulze](https://github.com/ChristianSch)
 * [Casperinous](https://github.com/Casperinous)
 * [Debora Grosse](https://github.com/DeboraG)
@@ -40,5 +41,8 @@ Current Maintainer: [Max Bruckner](https://github.com/FSMaxB)
 * [Stephan Gatzka](https://github.com/gatzka)
 * [Weston Schmidt](https://github.com/schmidtw)
 * [yangfl](https://github.com/yangfl)
+* [Zhao Zhixu](https://github.com/zhaozhixu)
 
 And probably more people on [SourceForge](https://sourceforge.net/p/cjson/bugs/search/?q=status%3Aclosed-rejected+or+status%3Aclosed-out-of-date+or+status%3Awont-fix+or+status%3Aclosed-fixed+or+status%3Aclosed&page=0)
+
+Also thanks to all the people who reported bugs and suggested new features.

Makefile

@@ -8,10 +8,13 @@ CJSON_TEST_SRC = cJSON.c test.c
 
 LDLIBS = -lm
 
-LIBVERSION = 1.7.2
+LIBVERSION = 1.7.7
 CJSON_SOVERSION = 1
 UTILS_SOVERSION = 1
 
+CJSON_SO_LDFLAG=-Wl,-soname=$(CJSON_LIBNAME).so.$(CJSON_SOVERSION)
+UTILS_SO_LDFLAG=-Wl,-soname=$(UTILS_LIBNAME).so.$(UTILS_SOVERSION)
+
 PREFIX ?= /usr/local
 INCLUDE_PATH ?= include/cjson
 LIBRARY_PATH ?= lib
@@ -23,7 +26,7 @@ INSTALL ?= cp -a
 
 # validate gcc version for use fstack-protector-strong
 MIN_GCC_VERSION = "4.9"
-GCC_VERSION := "`gcc -dumpversion`"
+GCC_VERSION := "`$(CC) -dumpversion`"
 IS_GCC_ABOVE_MIN_VERSION := $(shell expr "$(GCC_VERSION)" ">=" "$(MIN_GCC_VERSION)")
 ifeq "$(IS_GCC_ABOVE_MIN_VERSION)" "1"
     CFLAGS += -fstack-protector-strong
@@ -42,6 +45,8 @@ STATIC = a
 ## create dynamic (shared) library on Darwin (base OS for MacOSX and IOS)
 ifeq (Darwin, $(uname))
 	SHARED = dylib
+	CJSON_SO_LDFLAG = ""
+    UTILS_SO_LDFLAG = ""
 endif
 
 #cJSON library names
@@ -90,10 +95,10 @@ $(UTILS_STATIC): $(UTILS_OBJ)
 #shared libraries .so.1.0.0
 #cJSON
 $(CJSON_SHARED_VERSION): $(CJSON_OBJ)
-	$(CC) -shared -o $@ $< $(LDFLAGS)
+	$(CC) -shared -o $@ $< $(CJSON_SO_LDFLAG) $(LDFLAGS)
 #cJSON_Utils
 $(UTILS_SHARED_VERSION): $(UTILS_OBJ)
-	$(CC) -shared -o $@ $< $(LDFLAGS)
+	$(CC) -shared -o $@ $< $(UTILS_SO_LDFLAG) $(LDFLAGS)
 
 #objects
 #cJSON

README.md

@@ -127,9 +127,11 @@ make DESTDIR=$pkgdir install
 On Windows CMake is usually used to create a Visual Studio solution file by running it inside the Developer Command Prompt for Visual Studio, for exact steps follow the official documentation from CMake and Microsoft and use the online search engine of your choice. The descriptions of the the options above still generally apply, although not all of them work on Windows.
 
 #### Makefile
+**NOTE:** This Method is deprecated. Use CMake if at all possible. Makefile support is limited to fixing bugs.
+
 If you don't have CMake available, but still have GNU make. You can use the makefile to build cJSON:
 
-Run this command in the directory with the source code and it will automatically compile static and shared libraries and a little test program.
+Run this command in the directory with the source code and it will automatically compile static and shared libraries and a little test program (not the full test suite).
 
 ```
 make all

cJSON.c

@@ -41,7 +41,6 @@
 #include <stdio.h>
 #include <math.h>
 #include <stdlib.h>
-#include <float.h>
 #include <limits.h>
 #include <ctype.h>
 
@@ -82,7 +81,7 @@ CJSON_PUBLIC(char *) cJSON_GetStringValue(cJSON *item) {
 }
 
 /* This is a safeguard to prevent copy-pasters from using incompatible C and header files */
-#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 2)
+#if (CJSON_VERSION_MAJOR != 1) || (CJSON_VERSION_MINOR != 7) || (CJSON_VERSION_PATCH != 7)
     #error cJSON.h and cJSON.c have different versions. Make sure that both have the same.
 #endif
 
@@ -1114,10 +1113,10 @@ static unsigned char *print(const cJSON * const item, cJSON_bool format, const i
     if (hooks->reallocate != NULL)
     {
         printed = (unsigned char*) hooks->reallocate(buffer->buffer, buffer->offset + 1);
-        buffer->buffer = NULL;
         if (printed == NULL) {
             goto fail;
         }
+        buffer->buffer = NULL;
     }
     else /* otherwise copy the JSON over to a new buffer */
     {
@@ -1311,10 +1310,6 @@ static cJSON_bool print_value(const cJSON * const item, printbuffer * const outp
             size_t raw_length = 0;
             if (item->valuestring == NULL)
             {
-                if (!output_buffer->noalloc)
-                {
-                    output_buffer->hooks.deallocate(output_buffer->buffer);
-                }
                 return false;
             }
 
@@ -1899,32 +1894,37 @@ static void* cast_away_const(const void* string)
 
 static cJSON_bool add_item_to_object(cJSON * const object, const char * const string, cJSON * const item, const internal_hooks * const hooks, const cJSON_bool constant_key)
 {
+    char *new_key = NULL;
+    int new_type = cJSON_Invalid;
+
     if ((object == NULL) || (string == NULL) || (item == NULL))
     {
         return false;
     }
 
+    if (constant_key)
+    {
+        new_key = (char*)cast_away_const(string);
+        new_type = item->type | cJSON_StringIsConst;
+    }
+    else
+    {
+        new_key = (char*)cJSON_strdup((const unsigned char*)string, hooks);
+        if (new_key == NULL)
+        {
+            return false;
+        }
+
+        new_type = item->type & ~cJSON_StringIsConst;
+    }
+
     if (!(item->type & cJSON_StringIsConst) && (item->string != NULL))
     {
         hooks->deallocate(item->string);
     }
 
-    if (constant_key)
+    item->string = new_key;
-    {
+    item->type = new_type;
-        item->string = (char*)cast_away_const(string);
-        item->type |= cJSON_StringIsConst;
-    }
-    else
-    {
-        char *key = (char*)cJSON_strdup((const unsigned char*)string, hooks);
-        if (key == NULL)
-        {
-            return false;
-        }
-
-        item->string = key;
-        item->type &= ~cJSON_StringIsConst;
-    }
 
     return add_item_to_array(object, item);
 }

cJSON.h

@@ -31,7 +31,7 @@ extern "C"
 /* project version */
 #define CJSON_VERSION_MAJOR 1
 #define CJSON_VERSION_MINOR 7
-#define CJSON_VERSION_PATCH 2
+#define CJSON_VERSION_PATCH 7
 
 #include <stddef.h>
 
@@ -156,7 +156,7 @@ CJSON_PUBLIC(void) cJSON_Delete(cJSON *c);
 
 /* Returns the number of items in an array (or object). */
 CJSON_PUBLIC(int) cJSON_GetArraySize(const cJSON *array);
-/* Retrieve item number "item" from array "array". Returns NULL if unsuccessful. */
+/* Retrieve item number "index" from array "array". Returns NULL if unsuccessful. */
 CJSON_PUBLIC(cJSON *) cJSON_GetArrayItem(const cJSON *array, int index);
 /* Get item "string" from object. Case insensitive. */
 CJSON_PUBLIC(cJSON *) cJSON_GetObjectItem(const cJSON * const object, const char * const string);

cJSON_Utils.c

@@ -988,6 +988,12 @@ static int apply_patch(cJSON *object, const cJSON *patch, const cJSON_bool case_
         cJSON_AddItemToObject(parent, (char*)child_pointer, value);
         value = NULL;
     }
+    else /* parent is not an object */
+    {
+        /* Couldn't find object to add to. */
+        status = 9;
+        goto cleanup;
+    }
 
 cleanup:
     if (value != NULL)

cJSON_Utils.h

@@ -20,6 +20,14 @@
   THE SOFTWARE.
 */
 
+#ifndef cJSON_Utils__h
+#define cJSON_Utils__h
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
 #include "cJSON.h"
 
 /* Implement RFC6901 (https://tools.ietf.org/html/rfc6901) JSON Pointer spec. */
@@ -72,3 +80,9 @@ CJSON_PUBLIC(char *) cJSONUtils_FindPointerFromObjectTo(const cJSON * const obje
 /* Sorts the members of the object into alphabetical order. */
 CJSON_PUBLIC(void) cJSONUtils_SortObject(cJSON * const object);
 CJSON_PUBLIC(void) cJSONUtils_SortObjectCaseSensitive(cJSON * const object);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

tests/json-patch-tests/cjson-utils-tests.json

@@ -80,5 +80,12 @@
 	"doc": { "foo": ["bar"] },
 	"patch": [ { "op": "add", "path": "/foo/-", "value": ["abc", "def"] }],
 	"expected": {"foo": ["bar", ["abc", "def"]] }
-    }
+    },
+
+    { 
+        "comment": "15",
+        "doc": {"foo": {"bar": 1}},
+        "patch": [{"op": "add", "path": "/foo/bar/baz", "value": "5"}],
+        "error": "attempting to add to subfield of non-object"
+    } 
 ]

tests/misc_tests.c

@@ -508,6 +508,25 @@ static void cjson_create_array_reference_should_create_an_array_reference(void)
     cJSON_Delete(number_reference);
 }
 
+static void cjson_add_item_to_object_should_not_use_after_free_when_string_is_aliased(void)
+{
+    cJSON *object = cJSON_CreateObject();
+    cJSON *number = cJSON_CreateNumber(42);
+    char *name = (char*)cJSON_strdup((const unsigned char*)"number", &global_hooks);
+
+    TEST_ASSERT_NOT_NULL(object);
+    TEST_ASSERT_NOT_NULL(number);
+    TEST_ASSERT_NOT_NULL(name);
+
+    number->string = name;
+
+    /* The following should not have a use after free
+     * that would show up in valgrind or with AddressSanitizer */
+    cJSON_AddItemToObject(object, number->string, number);
+
+    cJSON_Delete(object);
+}
+
 int main(void)
 {
     UNITY_BEGIN();
@@ -530,6 +549,7 @@ int main(void)
     RUN_TEST(cjson_create_string_reference_should_create_a_string_reference);
     RUN_TEST(cjson_create_object_reference_should_create_an_object_reference);
     RUN_TEST(cjson_create_array_reference_should_create_an_array_reference);
+    RUN_TEST(cjson_add_item_to_object_should_not_use_after_free_when_string_is_aliased);
 
     return UNITY_END();
 }