Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

infinite loop of cJSON_Minify function in version 1.7.11 #354

Closed
Alanscut opened this issue May 16, 2019 · 2 comments
Closed

infinite loop of cJSON_Minify function in version 1.7.11 #354

Alanscut opened this issue May 16, 2019 · 2 comments
Labels
bug

Comments

@Alanscut
Copy link
Collaborator

Hi, Max @FSMaxB , I encountered an infinite loop when I used the '/' character alone(not // or /*).
this is my test demo:

int main(void)
{
        char str[] = { '8', ' ', '/', ' ', '5', '\n' };
	cJSON_Minify(str);
	printf("after minify, str: %s\n", str);

	return 0;
}

the program will not end.
The cJSON_Minify() function does not stop if the input string contains the '/' character. Since line 2712 of the cJSON.c file mistakenly thinks that it is going to enter the comment part, and in fact "/" is not necessarily the beginning of the comment, then Break jumps out of the switch statement and enters the while loop again, forming an infinite loop.
image
@FSMaxB FSMaxB added the bug label May 16, 2019
@FSMaxB
Copy link
Collaborator

FSMaxB commented May 16, 2019

Well that is embarrassing ...
I'll take a look and try to fix this bug!

Please not that your test code also has a bug, since there is no '\0' at the end of your string.

@FSMaxB
Copy link
Collaborator

FSMaxB commented May 16, 2019

Fixed in cJSON 1.7.12

@FSMaxB FSMaxB closed this as completed May 16, 2019
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue May 18, 2019
@ffontaine @tpetazzoni
package/cjson: security bump to version 1.7.12
2ee83e0 
Fix infinite loop in cJSON_Minify (potential Denial of Service), see
DaveGamble/cJSON#354

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
texierp pushed a commit to texierp/buildroot that referenced this issue Jun 2, 2019
@ffontaine @texierp
package/cjson: security bump to version 1.7.12
65ee210 
Fix infinite loop in cJSON_Minify (potential Denial of Service), see
DaveGamble/cJSON#354

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
buildroot-auto-update pushed a commit to buildroot/buildroot that referenced this issue Jun 6, 2019
@ffontaine @jacmet
package/cjson: security bump to version 1.7.12
450e61e 
Fix infinite loop in cJSON_Minify (potential Denial of Service), see
DaveGamble/cJSON#354

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
(cherry picked from commit 2ee83e0)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
igrr pushed a commit to espressif/esp-idf that referenced this issue Aug 27, 2019
@projectgus
Update cJSON to v1.7.12
f72dc5b 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354
igrr pushed a commit to espressif/esp-idf that referenced this issue Aug 30, 2019
@projectgus
Update cJSON to v1.7.12
58dc504 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354
igrr pushed a commit to espressif/esp-idf that referenced this issue Sep 5, 2019
@projectgus
Update cJSON to v1.7.12
aa0bb29 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354
igrr pushed a commit to espressif/esp-idf that referenced this issue Sep 16, 2019
@projectgus
Update cJSON to v1.7.12
1d95383 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354
wujiangang pushed a commit to espressif/ESP8266_RTOS_SDK that referenced this issue Sep 18, 2019
feat(json): update cJSON to v1.7.12
26bd48c 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354

Using submodule instead of source code.
igrr pushed a commit to espressif/esp-idf that referenced this issue Sep 21, 2019
@projectgus
Update cJSON to v1.7.12
8e32eb7 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354
igrr pushed a commit to espressif/esp-idf that referenced this issue Sep 29, 2019
@projectgus
Update cJSON to v1.7.12
4238d73 
Fixes potential DoS in cJSON_Minify, see DaveGamble/cJSON#354
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FSMaxB @Alanscut