From d39d77b66ea27d767980a293d7900157800d6d46 Mon Sep 17 00:00:00 2001
From: yueyaoqiang <yueyaoqiang@kylinos.cn>
Date: Fri, 26 Apr 2024 14:10:51 +0800
Subject: [PATCH] fix CVE-2024-31755

---
 backport-CVE-2024-31755.patch | 12 ++++++++++++
 cjson.spec                    |  6 +++++-
 2 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2024-31755.patch

diff --git a/backport-CVE-2024-31755.patch b/backport-CVE-2024-31755.patch
new file mode 100644
index 0000000..608d071
--- /dev/null
+++ b/backport-CVE-2024-31755.patch
@@ -0,0 +1,12 @@
+diff -Naur cJSON-1.7.15/cJSON.c cJSON-1.7.15_cve/cJSON.c
+--- cJSON-1.7.15/cJSON.c	2024-04-26 14:02:46.912066268 +0800
++++ cJSON-1.7.15_cve/cJSON.c	2024-04-26 14:04:07.538061462 +0800
+@@ -406,7 +406,7 @@
+         return NULL;
+     }
+     /* return NULL if the object is corrupted */
+-    if (object->valuestring == NULL)
++    if (object->valuestring == NULL || valuestring == NULL)
+     {
+         return NULL;
+     }
diff --git a/cjson.spec b/cjson.spec
index ad07f22..c79ad5f 100644
--- a/cjson.spec
+++ b/cjson.spec
@@ -1,6 +1,6 @@
 Name:           cjson
 Version:        1.7.15
-Release:        3
+Release:        4
 Summary:        Ultralightweight JSON parser in ANSI C
  
 License:        MIT and ASL 2.0
@@ -9,6 +9,7 @@ Source0:        https://github.com/DaveGamble/cJSON/archive/refs/tags/v1.7.15.ta
  
 Patch0001:	backport-CVE-2023-50471_50472.patch
 Patch0002:	backport-fix-potential-memory-leak-in-merge_patch.patch
+Patch003:       backport-CVE-2024-31755.patch
 
 BuildRequires:  gcc
 BuildRequires:  cmake
@@ -53,6 +54,9 @@ rm -f %{buildroot}%{_libdir}/cmake/cJSON/*.cmake
 %{_includedir}/cjson/
 
 %changelog
+* Fri Apr 26 2024 yueyaoqiang <yueyaoqiang@kylinos.cn> - 1.7.15-4
+- fix CVE-2024-31755
+
 * Tue Mar 05 2024 xiejing <xiejing@kylinos.cn> - 1.7.15-3
 - fix potential memory leak in merge_patch()
 
-- 
Gitee