Attachment #214481 for bug #246145




# $FreeBSD$

PORTNAME=	json-c
PORTVERSION=	0.14
PORTREVISION=	1
CATEGORIES=	devel
MASTER_SITES=	https://s3.amazonaws.com/json-c_releases/releases/ \
		https://ftp.osuosl.org/pub/blfs/conglomeration/jsonc/

MAINTAINER=	sunpoet@FreeBSD.org
COMMENT=	JSON (JavaScript Object Notation) implementation in C

LICENSE=	MIT
LICENSE_FILE=	${WRKSRC}/COPYING

USES=		cmake compiler:c11 cpe

TEST_TARGET=	test
INSTALL_TARGET=	install-strip
TEST_TARGET=	check
USE_LDCONFIG=	yes

CPE_VENDOR=	json-c_project

OPTIONS_DEFINE=	TEST
TEST_CMAKE_BOOL=	BUILD_TESTING

.include <bsd.port.options.mk>
.if ! ${PORT_OPTIONS:MSTATIC}
USE_LDCONFIG=	yes
.endif

post-install:
	${INSTALL_DATA} ${WRKSRC}/json_object_private.h ${STAGEDIR}${PREFIX}/include/json-c/
	# Reference: https://github.com/json-c/json-c/pull/585
	${RM} ${STAGEDIR}${PREFIX}/include/json-c/config.h

.include <bsd.port.mk>

Lines 1-3 Link Here

(-)b/devel/json-c/distinfo (-3 / +3 lines)
1	TIMESTAMP = 1520527097	1	TIMESTAMP = 1588452653
2	SHA256 (json-c-0.13.1.tar.gz) = b87e608d4d3f7bfdd36ef78d56d53c74e66ab278d318b71e6002a369d36f4873	2	SHA256 (json-c-0.14.tar.gz) = b377de08c9b23ca3b37d9a9828107dff1de5ce208ff4ebb35005a794f30c6870
3	SIZE (json-c-0.13.1.tar.gz) = 639425	3	SIZE (json-c-0.14.tar.gz) = 321677




--- CMakeLists.txt.orig	2020-05-14 09:41:45 UTC
+++ CMakeLists.txt
@@ -7,7 +7,7 @@ if(POLICY CMP0048)
 endif()
 
 # JSON-C library is C only project.
-project(json-c LANGUAGES C VERSION 0.14)
+project(json-c LANGUAGES C VERSION 0.14.99)
 
 # If we've got 3.0 then it's good, let's provide support. Otherwise, leave it be.
 if(POLICY CMP0038)
@@ -65,6 +65,7 @@ include(GNUInstallDirs)
 include(CMakePackageConfigHelpers)
 
 option(BUILD_SHARED_LIBS  "Default to building shared libraries" ON)
+option(BUILD_STATIC_LIBS  "Default to building static libraries" ON)
 
 # Generate a release merge and test it to verify the correctness of republishing the package.
 ADD_CUSTOM_TARGET(distcheck
@@ -108,6 +109,7 @@ check_include_files("stdlib.h;stdarg.h;string.h;float.
 
 check_include_file(unistd.h         HAVE_UNISTD_H)
 check_include_file(sys/types.h      HAVE_SYS_TYPES_H)
+check_include_file(sys/resource.h   HAVE_SYS_RESOURCE_H) # for getrusage
 
 check_include_file("dlfcn.h"        HAVE_DLFCN_H)
 check_include_file("endian.h"       HAVE_ENDIAN_H)
@@ -165,6 +167,9 @@ endif()
 if (HAVE_SYSLOG_H)
     check_symbol_exists(vsyslog     "syslog.h" HAVE_VSYSLOG)
 endif()
+if (HAVE_SYS_RESOURCE_H)
+    check_symbol_exists(getrusage   "sys/resource.h" HAVE_GETRUSAGE)
+endif()
 
 check_symbol_exists(strtoll     "stdlib.h" HAVE_STRTOLL)
 check_symbol_exists(strtoull    "stdlib.h" HAVE_STRTOULL)
@@ -299,7 +304,7 @@ if ($ENV{VALGRIND})
 endif()
 
 set(JSON_C_PUBLIC_HEADERS
-    ${PROJECT_BINARY_DIR}/config.h
+    # Note: config.h is _not_ included here
     ${PROJECT_BINARY_DIR}/json_config.h
 
     ${PROJECT_SOURCE_DIR}/json.h
@@ -383,7 +388,7 @@ add_library(${PROJECT_NAME}
 set_target_properties(${PROJECT_NAME} PROPERTIES
     VERSION 5.0.0
     SOVERSION 5)
-
+list(APPEND CMAKE_TARGETS ${PROJECT_NAME})
 # If json-c is used as subroject it set to target correct interface -I flags and allow
 # to build external target without extra include_directories(...)
 target_include_directories(${PROJECT_NAME}
@@ -392,7 +397,35 @@ target_include_directories(${PROJECT_NAME}
         $<BUILD_INTERFACE:${PROJECT_BINARY_DIR}>
 )
 
-install(TARGETS ${PROJECT_NAME}
+# Allow to build static and shared libraries at the same time
+if (BUILD_STATIC_LIBS AND BUILD_SHARED_LIBS)
+    set(STATIC_LIB ${PROJECT_NAME}-static)
+    add_library(${STATIC_LIB} STATIC
+        ${JSON_C_SOURCES}
+        ${JSON_C_HEADERS}
+    )
+
+    # rename the static library
+    if (NOT MSVC)
+    set_target_properties(${STATIC_LIB} PROPERTIES
+        OUTPUT_NAME ${PROJECT_NAME}
+    )
+    endif()
+    list(APPEND CMAKE_TARGETS ${STATIC_LIB})
+endif ()
+
+# Always create new install dirs with 0755 permissions, regardless of umask
+set(CMAKE_INSTALL_DEFAULT_DIRECTORY_PERMISSIONS
+	OWNER_READ
+	OWNER_WRITE
+	OWNER_EXECUTE
+	GROUP_READ
+	GROUP_EXECUTE
+	WORLD_READ
+	WORLD_EXECUTE
+   )
+
+install(TARGETS ${CMAKE_TARGETS}
     EXPORT ${PROJECT_NAME}-targets
     RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
     LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}




--- cmake-configure.orig	2020-05-14 09:42:45 UTC
+++ cmake-configure
@@ -1,87 +1 @@
-#!/bin/bash
-
-# Wrapper around cmake to emulate useful options
-# from the previous autoconf-based configure script.
-
-RUNDIR=$(dirname "$0")
-RUNDIR=$(cd "$RUNDIR" && pwd)
-CURDIR=$(pwd)
-
-FLAGS=()
-
-usage()
-{
-	exitval="$1"
-	errmsg="$2"
-
-	if [ $exitval -ne 0 ] ; then
-		exec 1>&2
-	fi
-	if [ ! -z "$errmsg" ] ; then
-		echo "ERROR: $errmsg" 1>&2
-	fi
-	cat <<EOF
-$0 [<configure_options>] [-- [<cmake options>]]
-  --prefix=PREFIX         install architecture-independent files in PREFIX
-  --enable-threading      Enable code to support partly multi-threaded use
-  --enable-rdrand         Enable RDRAND Hardware RNG Hash Seed generation on
-                          supported x86/x64 platforms.
-  --enable-shared         build shared libraries [default=yes]
-  --enable-static         build static libraries [default=yes]
-  --disable-Bsymbolic     Avoid linking with -Bsymbolic-function
-  --disable-werror        Avoid treating compiler warnings as fatal errors
-
-EOF
-	exit
-}
-
-if [ "$CURDIR" = "$RUNDIR" ] ; then
-	usage 1 "Please mkdir some other build directory, and run this script from there."
-fi
-
-if ! cmake --version ; then
-	usage 1 "Unable to find a working cmake, please be sure you have it installed and on your PATH"
-fi
-
-while [ $# -gt 0 ] ; do
-	case "$1" in
-	-h|--help)
-		usage 0
-		;;
-	--prefix)
-		FLAGS+=(-DCMAKE_INSTALL_PREFIX="$2")
-		shift
-		;;
-	--enable-threading)
-		FLAGS+=(-DENABLE_THREADING=ON)
-		;;
-	--enable-rdrand)
-		FLAGS+=(-DENABLE_RDRAND=ON)
-		;;
-	--enable-shared)
-		FLAGS+=(-DBUILD_SHARED_LIBS=ON)
-		;;
-	--enable-static)
-		FLAGS+=(-DBUILD_SHARED_LIBS=OFF)
-		;;
-	--disable-Bsymbolic)
-		FLAGS+=(-DDISABLE_BSYMBOLIC=ON)
-		;;
-	--disable-werror)
-		FLAGS+=(-DDISABLE_WERROR=ON)
-		;;
-	--)
-		shift
-		break
-		;;
-	-*)
-		usage 1 "Unknown arguments: $*"
-		;;
-	*)
-		break
-		;;
-	esac
-	shift
-done
-
-exec cmake "${FLAGS[@]}" "$@" "${RUNDIR}"
+cmake-configure




--- cmake/config.h.in.orig	2020-05-14 09:44:39 UTC
+++ cmake/config.h.in
@@ -1,4 +1,3 @@
-/* config.h.in.  Generated from configure.ac by autoheader.  */
 
 /* Enable RDRAND Hardware RNG Hash Seed */
 #cmakedefine ENABLE_RDRAND "@ENABLE_RDRAND@"
@@ -54,6 +53,9 @@
 /* Define to 1 if you have the <sys/param.h> header file. */
 #cmakedefine HAVE_SYS_PARAM_H @HAVE_SYS_PARAM_H@
 
+/* Define to 1 if you have the <sys/resource.h> header file. */
+#cmakedefine HAVE_SYS_RESOURCE_H
+
 /* Define to 1 if you have the <sys/stat.h> header file. */
 #cmakedefine HAVE_SYS_STAT_H
 
@@ -134,6 +136,9 @@
 
 /* Define to 1 if you have the `vsyslog' function. */
 #cmakedefine HAVE_VSYSLOG @HAVE_VSYSLOG@
+
+/* Define if you have the `getrusage' function. */
+#cmakedefine HAVE_GETRUSAGE
 
 #cmakedefine HAVE_STRTOLL
 #if !defined(HAVE_STRTOLL)




From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:41:16 +0200
Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow.

If the assignment of stop overflows due to idx and count being
larger than SIZE_T_MAX in sum, out of boundary access could happen.

It takes invalid usage of this function for this to happen, but
I decided to add this check so array_list_del_idx is as safe against
bad usage as the other arraylist functions.
---
 arraylist.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arraylist.c b/arraylist.c
index 12ad8af6d3..e5524aca75 100644
--- arraylist.c
+++ arraylist.c
@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
 {
 	size_t i, stop;
 
+	/* Avoid overflow in calculation with large indices. */
+	if (idx > SIZE_T_MAX - count)
+		return -1;
 	stop = idx + count;
 	if (idx >= arr->length || stop > arr->length)
 		return -1;

From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:46:45 +0200
Subject: [PATCH 2/3] Prevent division by zero in linkhash.

If a linkhash with a size of zero is created, then modulo operations
are prone to division by zero operations.

Purely protective measure against bad usage.
---
 linkhash.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/linkhash.c b/linkhash.c
index 7ea58c0abf..f05cc38030 100644
--- linkhash.c
+++ linkhash.c
@@ -12,6 +12,7 @@
 
 #include "config.h"
 
+#include <assert.h>
 #include <limits.h>
 #include <stdarg.h>
 #include <stddef.h>
@@ -499,6 +500,8 @@ struct lh_table *lh_table_new(int size, lh_entry_free_fn *free_fn, lh_hash_fn *h
 	int i;
 	struct lh_table *t;
 
+	/* Allocate space for elements to avoid divisions by zero. */
+	assert(size > 0);
 	t = (struct lh_table *)calloc(1, sizeof(struct lh_table));
 	if (!t)
 		return NULL;

From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 4 May 2020 19:47:25 +0200
Subject: [PATCH 3/3] Fix integer overflows.

The data structures linkhash and printbuf are limited to 2 GB in size
due to a signed integer being used to track their current size.

If too much data is added, then size variable can overflow, which is
an undefined behaviour in C programming language.

Assuming that a signed int overflow just leads to a negative value,
like it happens on many sytems (Linux i686/amd64 with gcc), then
printbuf is vulnerable to an out of boundary write on 64 bit systems.
---
 linkhash.c |  7 +++++--
 printbuf.c | 19 ++++++++++++++++---
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/linkhash.c b/linkhash.c
index f05cc38030..51e90b13a2 100644
--- linkhash.c
+++ linkhash.c
@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table *t, const void *k, const void *v, con
 {
 	unsigned long n;
 
-	if (t->count >= t->size * LH_LOAD_FACTOR)
-		if (lh_table_resize(t, t->size * 2) != 0)
+	if (t->count >= t->size * LH_LOAD_FACTOR) {
+		/* Avoid signed integer overflow with large tables. */
+		int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX;
+		if (t->size == INT_MAX || lh_table_resize(t, new_size) != 0)
 			return -1;
+	}
 
 	n = h % t->size;
 
diff --git a/printbuf.c b/printbuf.c
index 976c12dde5..00822fac4f 100644
--- printbuf.c
+++ printbuf.c
@@ -15,6 +15,7 @@
 
 #include "config.h"
 
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size)
 
 	if (p->size >= min_size)
 		return 0;
-
-	new_size = p->size * 2;
-	if (new_size < min_size + 8)
+	/* Prevent signed integer overflows with large buffers. */
+	if (min_size > INT_MAX - 8)
+		return -1;
+	if (p->size > INT_MAX / 2)
 		new_size = min_size + 8;
+	else {
+		new_size = p->size * 2;
+		if (new_size < min_size + 8)
+			new_size = min_size + 8;
+	}
 #ifdef PRINTBUF_DEBUG
 	MC_DEBUG("printbuf_memappend: realloc "
 	         "bpos=%d min_size=%d old_size=%d new_size=%d\n",
@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size)
 
 int printbuf_memappend(struct printbuf *p, const char *buf, int size)
 {
+	/* Prevent signed integer overflows with large buffers. */
+	if (size > INT_MAX - p->bpos - 1)
+		return -1;
 	if (p->size <= p->bpos + size + 1)
 	{
 		if (printbuf_extend(p, p->bpos + size + 1) < 0)
@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
 
 	if (offset == -1)
 		offset = pb->bpos;
+	/* Prevent signed integer overflows with large buffers. */
+	if (len > INT_MAX - offset)
+		return -1;
 	size_needed = offset + len;
 	if (pb->size < size_needed)
 	{




--- json_object.c.orig	2020-02-18 20:12:20 UTC
+++ json_object.c
@@ -698,9 +698,9 @@ int64_t json_object_get_int64(const struct json_object
 	case json_type_int:
 		return jso->o.c_int64;
 	case json_type_double:
-		if (jso->o.c_double >= INT64_MAX)
+		if (jso->o.c_double >= (double)INT64_MAX)
 			return INT64_MAX;
-		if (jso->o.c_double <= INT64_MIN)
+		if (jso->o.c_double <= (double)INT64_MIN)
 			return INT64_MIN;
 		return (int64_t)jso->o.c_double;
 	case json_type_boolean:




--- tests/test_parse.c.orig	2018-01-16 04:33:49 UTC
+++ tests/test_parse.c
@@ -253,11 +253,11 @@ struct incremental_step {
 	   the next few tests check that parsing multiple sequential
        json objects in the input works as expected */
 	{ "null123",           9, 4, json_tokener_success, 0 },
-	{ "null123" + 4,       4, 3, json_tokener_success, 1 },
+	{ &"null123"[4],       4, 3, json_tokener_success, 1 },
 	{ "nullx",             5, 4, json_tokener_success, 0 },
-	{ "nullx" + 4,         2, 0, json_tokener_error_parse_unexpected, 1 },
+	{ &"nullx"[4],         2, 0, json_tokener_error_parse_unexpected, 1 },
 	{ "{\"a\":1}{\"b\":2}",15, 7, json_tokener_success, 0 },
-	{ "{\"a\":1}{\"b\":2}" + 7,
+	{ &"{\"a\":1}{\"b\":2}"[7],
 	                       8, 7, json_tokener_success, 1 },
 
 	/* Some bad formatting. Check we get the correct error status */




include/json-c/arraylist.h
include/json-c/bits.h
include/json-c/debug.h
include/json-c/json.h
include/json-c/json_c_version.h

include/json-c/json_object_private.h
include/json-c/json_pointer.h
include/json-c/json_tokener.h
include/json-c/json_types.h
include/json-c/json_util.h
include/json-c/json_visit.h
include/json-c/linkhash.h
include/json-c/printbuf.h
lib/cmake/json-c/json-c-config.cmake
lib/cmake/json-c/json-c-targets-%%CMAKE_BUILD_TYPE%%.cmake
lib/cmake/json-c/json-c-targets.cmake
lib/libjson-c.a
lib/libjson-c.so
lib/libjson-c.so.5
lib/libjson-c.so.5.0.0
libdata/pkgconfig/json-c.pc
- 

Return to bug 246145

Lines 2-12 Link Here

(-)b/devel/json-c/Makefile (-10 / +13 lines)
2	# $FreeBSD$	2	# $FreeBSD$
3		3
4	PORTNAME= json-c	4	PORTNAME= json-c
5	PORTVERSION= 0.13.1	5	PORTVERSION= 0.14
6	PORTREVISION= 1
7	CATEGORIES= devel	6	CATEGORIES= devel
8	MASTER_SITES= https://s3.amazonaws.com/json-c_releases/releases/ \	7	MASTER_SITES= https://s3.amazonaws.com/json-c_releases/releases/ \
9	LOCAL/sunpoet	8	https://ftp.osuosl.org/pub/blfs/conglomeration/jsonc/
10		9
11	MAINTAINER= sunpoet@FreeBSD.org	10	MAINTAINER= sunpoet@FreeBSD.org
12	COMMENT= JSON (JavaScript Object Notation) implementation in C	11	COMMENT= JSON (JavaScript Object Notation) implementation in C
Lines 14-32 COMMENT= JSON (JavaScript Object Notation) implementation in C Link Here
14	LICENSE= MIT	13	LICENSE= MIT
15	LICENSE_FILE= ${WRKSRC}/COPYING	14	LICENSE_FILE= ${WRKSRC}/COPYING
16		15
17	USES= autoreconf compiler:c11 cpe libtool pathfix pkgconfig	16	USES= cmake compiler:c11 cpe
18		17
19	GNU_CONFIGURE= yes	18	TEST_TARGET= test
20	INSTALL_TARGET= install-strip
21	TEST_TARGET= check
22	USE_LDCONFIG= yes
23		19
24	CPE_VENDOR= json-c_project	20	CPE_VENDOR= json-c_project
25		21
26	post-patch:	22	OPTIONS_DEFINE= TEST
27	@${REINPLACE_CMD} -e 's\| -Werror\|\|g' ${WRKSRC}/Makefile.in	23	TEST_CMAKE_BOOL= BUILD_TESTING
		24
		25	.include <bsd.port.options.mk>
		26	.if ! ${PORT_OPTIONS:MSTATIC}
		27	USE_LDCONFIG= yes
		28	.endif
28		29
29	post-install:	30	post-install:
30	${INSTALL_DATA} ${WRKSRC}/json_object_private.h ${STAGEDIR}${PREFIX}/include/json-c/	31	${INSTALL_DATA} ${WRKSRC}/json_object_private.h ${STAGEDIR}${PREFIX}/include/json-c/
		32	# Reference: https://github.com/json-c/json-c/pull/585
		33	${RM} ${STAGEDIR}${PREFIX}/include/json-c/config.h
31		34
32	.include <bsd.port.mk>	35	.include <bsd.port.mk>

Added Link Here

(-)b/devel/json-c/files/patch-CMakeLists.txt (+92 lines)
1	--- CMakeLists.txt.orig 2020-05-14 09:41:45 UTC
2	+++ CMakeLists.txt
3	@@ -7,7 +7,7 @@ if(POLICY CMP0048)
4	endif()
5
6	# JSON-C library is C only project.
7	-project(json-c LANGUAGES C VERSION 0.14)
8	+project(json-c LANGUAGES C VERSION 0.14.99)
9
10	# If we've got 3.0 then it's good, let's provide support. Otherwise, leave it be.
11	if(POLICY CMP0038)
12	@@ -65,6 +65,7 @@ include(GNUInstallDirs)
13	include(CMakePackageConfigHelpers)
14
15	option(BUILD_SHARED_LIBS "Default to building shared libraries" ON)
16	+option(BUILD_STATIC_LIBS "Default to building static libraries" ON)
17
18	# Generate a release merge and test it to verify the correctness of republishing the package.
19	ADD_CUSTOM_TARGET(distcheck
20	@@ -108,6 +109,7 @@ check_include_files("stdlib.h;stdarg.h;string.h;float.
21
22	check_include_file(unistd.h HAVE_UNISTD_H)
23	check_include_file(sys/types.h HAVE_SYS_TYPES_H)
24	+check_include_file(sys/resource.h HAVE_SYS_RESOURCE_H) # for getrusage
25
26	check_include_file("dlfcn.h" HAVE_DLFCN_H)
27	check_include_file("endian.h" HAVE_ENDIAN_H)
28	@@ -165,6 +167,9 @@ endif()
29	if (HAVE_SYSLOG_H)
30	check_symbol_exists(vsyslog "syslog.h" HAVE_VSYSLOG)
31	endif()
32	+if (HAVE_SYS_RESOURCE_H)
33	+ check_symbol_exists(getrusage "sys/resource.h" HAVE_GETRUSAGE)
34	+endif()
35
36	check_symbol_exists(strtoll "stdlib.h" HAVE_STRTOLL)
37	check_symbol_exists(strtoull "stdlib.h" HAVE_STRTOULL)
38	@@ -299,7 +304,7 @@ if ($ENV{VALGRIND})
39	endif()
40
41	set(JSON_C_PUBLIC_HEADERS
42	- ${PROJECT_BINARY_DIR}/config.h
43	+ # Note: config.h is _not_ included here
44	${PROJECT_BINARY_DIR}/json_config.h
45
46	${PROJECT_SOURCE_DIR}/json.h
47	@@ -383,7 +388,7 @@ add_library(${PROJECT_NAME}
48	set_target_properties(${PROJECT_NAME} PROPERTIES
49	VERSION 5.0.0
50	SOVERSION 5)
51	-
52	+list(APPEND CMAKE_TARGETS ${PROJECT_NAME})
53	# If json-c is used as subroject it set to target correct interface -I flags and allow
54	# to build external target without extra include_directories(...)
55	target_include_directories(${PROJECT_NAME}
56	@@ -392,7 +397,35 @@ target_include_directories(${PROJECT_NAME}
57	$<BUILD_INTERFACE:${PROJECT_BINARY_DIR}>
58	)
59
60	-install(TARGETS ${PROJECT_NAME}
61	+# Allow to build static and shared libraries at the same time
62	+if (BUILD_STATIC_LIBS AND BUILD_SHARED_LIBS)
63	+ set(STATIC_LIB ${PROJECT_NAME}-static)
64	+ add_library(${STATIC_LIB} STATIC
65	+ ${JSON_C_SOURCES}
66	+ ${JSON_C_HEADERS}
67	+ )
68	+
69	+ # rename the static library
70	+ if (NOT MSVC)
71	+ set_target_properties(${STATIC_LIB} PROPERTIES
72	+ OUTPUT_NAME ${PROJECT_NAME}
73	+ )
74	+ endif()
75	+ list(APPEND CMAKE_TARGETS ${STATIC_LIB})
76	+endif ()
77	+
78	+# Always create new install dirs with 0755 permissions, regardless of umask
79	+set(CMAKE_INSTALL_DEFAULT_DIRECTORY_PERMISSIONS
80	+ OWNER_READ
81	+ OWNER_WRITE
82	+ OWNER_EXECUTE
83	+ GROUP_READ
84	+ GROUP_EXECUTE
85	+ WORLD_READ
86	+ WORLD_EXECUTE
87	+ )
88	+
89	+install(TARGETS ${CMAKE_TARGETS}
90	EXPORT ${PROJECT_NAME}-targets
91	RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}
92	LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}

Added Link Here

(-)b/devel/json-c/files/patch-cmake-configure (+91 lines)
1	--- cmake-configure.orig 2020-05-14 09:42:45 UTC
2	+++ cmake-configure
3	@@ -1,87 +1 @@
4	-#!/bin/bash
5	-
6	-# Wrapper around cmake to emulate useful options
7	-# from the previous autoconf-based configure script.
8	-
9	-RUNDIR=$(dirname "$0")
10	-RUNDIR=$(cd "$RUNDIR" && pwd)
11	-CURDIR=$(pwd)
12	-
13	-FLAGS=()
14	-
15	-usage()
16	-{
17	- exitval="$1"
18	- errmsg="$2"
19	-
20	- if [ $exitval -ne 0 ] ; then
21	- exec 1>&2
22	- fi
23	- if [ ! -z "$errmsg" ] ; then
24	- echo "ERROR: $errmsg" 1>&2
25	- fi
26	- cat <<EOF
27	-$0 [<configure_options>] [-- [<cmake options>]]
28	- --prefix=PREFIX install architecture-independent files in PREFIX
29	- --enable-threading Enable code to support partly multi-threaded use
30	- --enable-rdrand Enable RDRAND Hardware RNG Hash Seed generation on
31	- supported x86/x64 platforms.
32	- --enable-shared build shared libraries [default=yes]
33	- --enable-static build static libraries [default=yes]
34	- --disable-Bsymbolic Avoid linking with -Bsymbolic-function
35	- --disable-werror Avoid treating compiler warnings as fatal errors
36	-
37	-EOF
38	- exit
39	-}
40	-
41	-if [ "$CURDIR" = "$RUNDIR" ] ; then
42	- usage 1 "Please mkdir some other build directory, and run this script from there."
43	-fi
44	-
45	-if ! cmake --version ; then
46	- usage 1 "Unable to find a working cmake, please be sure you have it installed and on your PATH"
47	-fi
48	-
49	-while [ $# -gt 0 ] ; do
50	- case "$1" in
51	- -h\|--help)
52	- usage 0
53	- ;;
54	- --prefix)
55	- FLAGS+=(-DCMAKE_INSTALL_PREFIX="$2")
56	- shift
57	- ;;
58	- --enable-threading)
59	- FLAGS+=(-DENABLE_THREADING=ON)
60	- ;;
61	- --enable-rdrand)
62	- FLAGS+=(-DENABLE_RDRAND=ON)
63	- ;;
64	- --enable-shared)
65	- FLAGS+=(-DBUILD_SHARED_LIBS=ON)
66	- ;;
67	- --enable-static)
68	- FLAGS+=(-DBUILD_SHARED_LIBS=OFF)
69	- ;;
70	- --disable-Bsymbolic)
71	- FLAGS+=(-DDISABLE_BSYMBOLIC=ON)
72	- ;;
73	- --disable-werror)
74	- FLAGS+=(-DDISABLE_WERROR=ON)
75	- ;;
76	- --)
77	- shift
78	- break
79	- ;;
80	- -*)
81	- usage 1 "Unknown arguments: $*"
82	- ;;
83	- *)
84	- break
85	- ;;
86	- esac
87	- shift
88	-done
89	-
90	-exec cmake "${FLAGS[@]}" "$@" "${RUNDIR}"
91	+cmake-configure

Added Link Here

(-)b/devel/json-c/files/patch-cmake_config.h.in (+27 lines)
1	--- cmake/config.h.in.orig 2020-05-14 09:44:39 UTC
2	+++ cmake/config.h.in
3	@@ -1,4 +1,3 @@
4	-/* config.h.in. Generated from configure.ac by autoheader. */
5
6	/* Enable RDRAND Hardware RNG Hash Seed */
7	#cmakedefine ENABLE_RDRAND "@ENABLE_RDRAND@"
8	@@ -54,6 +53,9 @@
9	/* Define to 1 if you have the <sys/param.h> header file. */
10	#cmakedefine HAVE_SYS_PARAM_H @HAVE_SYS_PARAM_H@
11
12	+/* Define to 1 if you have the <sys/resource.h> header file. */
13	+#cmakedefine HAVE_SYS_RESOURCE_H
14	+
15	/* Define to 1 if you have the <sys/stat.h> header file. */
16	#cmakedefine HAVE_SYS_STAT_H
17
18	@@ -134,6 +136,9 @@
19
20	/* Define to 1 if you have the `vsyslog' function. */
21	#cmakedefine HAVE_VSYSLOG @HAVE_VSYSLOG@
22	+
23	+/* Define if you have the `getrusage' function. */
24	+#cmakedefine HAVE_GETRUSAGE
25
26	#cmakedefine HAVE_STRTOLL
27	#if !defined(HAVE_STRTOLL)

Added Link Here

(-)b/devel/json-c/files/patch-cve-2020-12762 (+155 lines)
1	From 099016b7e8d70a6d5dd814e788bba08d33d48426 Mon Sep 17 00:00:00 2001
2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
3	Date: Mon, 4 May 2020 19:41:16 +0200
4	Subject: [PATCH 1/3] Protect array_list_del_idx against size_t overflow.
5
6	If the assignment of stop overflows due to idx and count being
7	larger than SIZE_T_MAX in sum, out of boundary access could happen.
8
9	It takes invalid usage of this function for this to happen, but
10	I decided to add this check so array_list_del_idx is as safe against
11	bad usage as the other arraylist functions.
12	---
13	arraylist.c \| 3 +++
14	1 file changed, 3 insertions(+)
15
16	diff --git a/arraylist.c b/arraylist.c
17	index 12ad8af6d3..e5524aca75 100644
18	--- arraylist.c
19	+++ arraylist.c
20	@@ -136,6 +136,9 @@ int array_list_del_idx(struct array_list *arr, size_t idx, size_t count)
21	{
22	size_t i, stop;
23
24	+ /* Avoid overflow in calculation with large indices. */
25	+ if (idx > SIZE_T_MAX - count)
26	+ return -1;
27	stop = idx + count;
28	if (idx >= arr->length \|\| stop > arr->length)
29	return -1;
30
31	From 77d935b7ae7871a1940cd827e850e6063044ec45 Mon Sep 17 00:00:00 2001
32	From: Tobias Stoeckmann <tobias@stoeckmann.org>
33	Date: Mon, 4 May 2020 19:46:45 +0200
34	Subject: [PATCH 2/3] Prevent division by zero in linkhash.
35
36	If a linkhash with a size of zero is created, then modulo operations
37	are prone to division by zero operations.
38
39	Purely protective measure against bad usage.
40	---
41	linkhash.c \| 3 +++
42	1 file changed, 3 insertions(+)
43
44	diff --git a/linkhash.c b/linkhash.c
45	index 7ea58c0abf..f05cc38030 100644
46	--- linkhash.c
47	+++ linkhash.c
48	@@ -12,6 +12,7 @@
49
50	#include "config.h"
51
52	+#include <assert.h>
53	#include <limits.h>
54	#include <stdarg.h>
55	#include <stddef.h>
56	@@ -499,6 +500,8 @@ struct lh_table lh_table_new(int size, lh_entry_free_fn free_fn, lh_hash_fn *h
57	int i;
58	struct lh_table *t;
59
60	+ /* Allocate space for elements to avoid divisions by zero. */
61	+ assert(size > 0);
62	t = (struct lh_table *)calloc(1, sizeof(struct lh_table));
63	if (!t)
64	return NULL;
65
66	From d07b91014986900a3a75f306d302e13e005e9d67 Mon Sep 17 00:00:00 2001
67	From: Tobias Stoeckmann <tobias@stoeckmann.org>
68	Date: Mon, 4 May 2020 19:47:25 +0200
69	Subject: [PATCH 3/3] Fix integer overflows.
70
71	The data structures linkhash and printbuf are limited to 2 GB in size
72	due to a signed integer being used to track their current size.
73
74	If too much data is added, then size variable can overflow, which is
75	an undefined behaviour in C programming language.
76
77	Assuming that a signed int overflow just leads to a negative value,
78	like it happens on many sytems (Linux i686/amd64 with gcc), then
79	printbuf is vulnerable to an out of boundary write on 64 bit systems.
80	---
81	linkhash.c \| 7 +++++--
82	printbuf.c \| 19 ++++++++++++++++---
83	2 files changed, 21 insertions(+), 5 deletions(-)
84
85	diff --git a/linkhash.c b/linkhash.c
86	index f05cc38030..51e90b13a2 100644
87	--- linkhash.c
88	+++ linkhash.c
89	@@ -580,9 +580,12 @@ int lh_table_insert_w_hash(struct lh_table t, const void k, const void *v, con
90	{
91	unsigned long n;
92
93	- if (t->count >= t->size * LH_LOAD_FACTOR)
94	- if (lh_table_resize(t, t->size * 2) != 0)
95	+ if (t->count >= t->size * LH_LOAD_FACTOR) {
96	+ /* Avoid signed integer overflow with large tables. */
97	+ int new_size = INT_MAX / 2 < t->size ? t->size * 2 : INT_MAX;
98	+ if (t->size == INT_MAX \|\| lh_table_resize(t, new_size) != 0)
99	return -1;
100	+ }
101
102	n = h % t->size;
103
104	diff --git a/printbuf.c b/printbuf.c
105	index 976c12dde5..00822fac4f 100644
106	--- printbuf.c
107	+++ printbuf.c
108	@@ -15,6 +15,7 @@
109
110	#include "config.h"
111
112	+#include <limits.h>
113	#include <stdio.h>
114	#include <stdlib.h>
115	#include <string.h>
116	@@ -65,10 +66,16 @@ static int printbuf_extend(struct printbuf *p, int min_size)
117
118	if (p->size >= min_size)
119	return 0;
120	-
121	- new_size = p->size * 2;
122	- if (new_size < min_size + 8)
123	+ /* Prevent signed integer overflows with large buffers. */
124	+ if (min_size > INT_MAX - 8)
125	+ return -1;
126	+ if (p->size > INT_MAX / 2)
127	new_size = min_size + 8;
128	+ else {
129	+ new_size = p->size * 2;
130	+ if (new_size < min_size + 8)
131	+ new_size = min_size + 8;
132	+ }
133	#ifdef PRINTBUF_DEBUG
134	MC_DEBUG("printbuf_memappend: realloc "
135	"bpos=%d min_size=%d old_size=%d new_size=%d\n",
136	@@ -83,6 +90,9 @@ static int printbuf_extend(struct printbuf *p, int min_size)
137
138	int printbuf_memappend(struct printbuf p, const char buf, int size)
139	{
140	+ /* Prevent signed integer overflows with large buffers. */
141	+ if (size > INT_MAX - p->bpos - 1)
142	+ return -1;
143	if (p->size <= p->bpos + size + 1)
144	{
145	if (printbuf_extend(p, p->bpos + size + 1) < 0)
146	@@ -100,6 +110,9 @@ int printbuf_memset(struct printbuf *pb, int offset, int charvalue, int len)
147
148	if (offset == -1)
149	offset = pb->bpos;
150	+ /* Prevent signed integer overflows with large buffers. */
151	+ if (len > INT_MAX - offset)
152	+ return -1;
153	size_needed = offset + len;
154	if (pb->size < size_needed)
155	{

Removed Link Here

(-)a/devel/json-c/files/patch-json_object.c (-14 lines)
1	--- json_object.c.orig 2020-02-18 20:12:20 UTC
2	+++ json_object.c
3	@@ -698,9 +698,9 @@ int64_t json_object_get_int64(const struct json_object
4	case json_type_int:
5	return jso->o.c_int64;
6	case json_type_double:
7	- if (jso->o.c_double >= INT64_MAX)
8	+ if (jso->o.c_double >= (double)INT64_MAX)
9	return INT64_MAX;
10	- if (jso->o.c_double <= INT64_MIN)
11	+ if (jso->o.c_double <= (double)INT64_MIN)
12	return INT64_MIN;
13	return (int64_t)jso->o.c_double;
14	case json_type_boolean:

Removed Link Here

(-)a/devel/json-c/files/patch-tests-test_parse.c (-17 lines)
1	--- tests/test_parse.c.orig 2018-01-16 04:33:49 UTC
2	+++ tests/test_parse.c
3	@@ -253,11 +253,11 @@ struct incremental_step {
4	the next few tests check that parsing multiple sequential
5	json objects in the input works as expected */
6	{ "null123", 9, 4, json_tokener_success, 0 },
7	- { "null123" + 4, 4, 3, json_tokener_success, 1 },
8	+ { &"null123"[4], 4, 3, json_tokener_success, 1 },
9	{ "nullx", 5, 4, json_tokener_success, 0 },
10	- { "nullx" + 4, 2, 0, json_tokener_error_parse_unexpected, 1 },
11	+ { &"nullx"[4], 2, 0, json_tokener_error_parse_unexpected, 1 },
12	{ "{\"a\":1}{\"b\":2}",15, 7, json_tokener_success, 0 },
13	- { "{\"a\":1}{\"b\":2}" + 7,
14	+ { &"{\"a\":1}{\"b\":2}"[7],
15	8, 7, json_tokener_success, 1 },
16
17	/* Some bad formatting. Check we get the correct error status */

Lines 1-5 Link Here

(-)b/devel/json-c/pkg-plist (-4 / +6 lines)
1	include/json-c/arraylist.h	1	include/json-c/arraylist.h
2	include/json-c/bits.h
3	include/json-c/debug.h	2	include/json-c/debug.h
4	include/json-c/json.h	3	include/json-c/json.h
5	include/json-c/json_c_version.h	4	include/json-c/json_c_version.h
Lines 10-21 include/json-c/json_object_iterator.h Link Here
10	include/json-c/json_object_private.h	9	include/json-c/json_object_private.h
11	include/json-c/json_pointer.h	10	include/json-c/json_pointer.h
12	include/json-c/json_tokener.h	11	include/json-c/json_tokener.h
		12	include/json-c/json_types.h
13	include/json-c/json_util.h	13	include/json-c/json_util.h
14	include/json-c/json_visit.h	14	include/json-c/json_visit.h
15	include/json-c/linkhash.h	15	include/json-c/linkhash.h
16	include/json-c/printbuf.h	16	include/json-c/printbuf.h
		17	lib/cmake/json-c/json-c-config.cmake
		18	lib/cmake/json-c/json-c-targets-%%CMAKE_BUILD_TYPE%%.cmake
		19	lib/cmake/json-c/json-c-targets.cmake
17	lib/libjson-c.a	20	lib/libjson-c.a
18	lib/libjson-c.so	21	lib/libjson-c.so
19	lib/libjson-c.so.4	22	lib/libjson-c.so.5
20	lib/libjson-c.so.4.0.0	23	lib/libjson-c.so.5.0.0
21	libdata/pkgconfig/json-c.pc	24	libdata/pkgconfig/json-c.pc
22	-