pool/json-c
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 250461 from devel:libraries:c_c++

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/250461
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/json-c?expand=0&rev=19
This commit is contained in:
Stephan Kulow 2014-09-23 15:16:53 +00:00 committed by Git OBS Bridge
commit b15f3a4cb2
7 changed files with 91 additions and 937 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
json-c-0.11.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:28dfc65145dc0d4df1dfe7701ac173c4e5f9347176c8983edbfac9149494448c
size 557263

34
json-c-0.12-unused_variable_size.patch Normal file
View File

@ -0,0 +1,34 @@
Author: Petar Koretić <petar.koretic@gmail.com>
Date: Fri Apr 11 10:03:40 2014 +0200
Subject: Remove unused variable 'size'
Upstream: committed
References: https://github.com/json-c/json-c/commit/259c5c0b5fe87c2db41e7a989cc0ab5865170d81#diff-1a2844909ac019b51939d6a7d97c7cd0
Remove unused variable 'size'
[ 31s] json_tokener.c: In function 'json_tokener_parse_ex':
[ 31s] json_tokener.c:355:6: error: variable 'size' set but not used [-Werror=unused-but-set-variable]
[ 31s] int size;
[ 31s] ^
---
json_tokener.c | 2 --
1 file changed, 2 deletions(-)
Index: json-c-0.12/json_tokener.c
===================================================================
--- json-c-0.12.orig/json_tokener.c 2014-04-11 01:41:08.000000000 +0100
+++ json-c-0.12/json_tokener.c 2014-09-20 12:33:05.000000000 +0100
@@ -352,12 +352,10 @@ struct json_object* json_tokener_parse_e
case json_tokener_state_inf: /* aka starts with 'i' */
{
- int size;
int size_inf;
int is_negative = 0;
printbuf_memappend_fast(tok->pb, &c, 1);
- size = json_min(tok->st_pos+1, json_null_str_len);
size_inf = json_min(tok->st_pos+1, json_inf_str_len);
char *infbuf = tok->pb->buf;
if (*infbuf == '-')

3
json-c-0.12.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:000c01b2b3f82dcb4261751eb71f1b084404fb7d6a282f06074d3c17078b9f3f
size 501419

860
json-c-hash-dos-and-overflow-random-seed-4e.patch
View File

@ -1,860 +0,0 @@
commit 64e36901a0614bf64a19bc3396469c66dcd0b015
Author: Michael Clark <michael@metaparadigm.com>
Date: Wed Apr 9 13:48:21 2014 +0800
Patch to address the following issues:
* CVE-2013-6371: hash collision denial of service
* CVE-2013-6370: buffer overflow if size_t is larger than int
Index: json-c-0.11/Makefile.am
===================================================================
--- json-c-0.11.orig/Makefile.am
+++ json-c-0.11/Makefile.am
@@ -29,7 +29,8 @@ libjson_cinclude_HEADERS = \
json_tokener.h \
json_util.h \
linkhash.h \
- printbuf.h
+ printbuf.h \
+ random_seed.h
#libjsonx_includedir = $(libdir)/json-c-@VERSION@
#
@@ -55,7 +56,8 @@ libjson_c_la_SOURCES = \
json_tokener.c \
json_util.c \
linkhash.c \
- printbuf.c
+ printbuf.c \
+ random_seed.c
distclean-local:
Index: json-c-0.11/config.h.in
===================================================================
--- json-c-0.11.orig/config.h.in
+++ json-c-0.11/config.h.in
@@ -1,5 +1,8 @@
/* config.h.in. Generated from configure.in by autoheader. */
+/* Enable RDRANR Hardware RNG Hash Seed */
+#undef ENABLE_RDRAND
+
/* Define if .gnu.warning accepts long strings. */
#undef HAS_GNU_WARNING_LONG
@@ -9,6 +12,9 @@
/* Define to 1 if you don't have `vprintf' but do have `_doprnt.' */
#undef HAVE_DOPRNT
+/* Define to 1 if you have the <endian.h> header file. */
+#undef HAVE_ENDIAN_H
+
/* Define to 1 if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
Index: json-c-0.11/configure.in
===================================================================
--- json-c-0.11.orig/configure.in
+++ json-c-0.11/configure.in
@@ -15,6 +15,20 @@ AC_ARG_ENABLE(oldname-compat,
)
AM_CONDITIONAL(ENABLE_OLDNAME_COMPAT, [test "x${enable_oldname_compat}" != "xno"])
+AC_ARG_ENABLE(rdrand,
+ AS_HELP_STRING([--enable-rdrand],
+ [Enable RDRAND Hardware RNG Hash Seed generation on supported x86/x64 platforms.]),
+[if test x$enableval = xyes; then
+ enable_rdrand=yes
+ AC_DEFINE(ENABLE_RDRAND, 1, [Enable RDRANR Hardware RNG Hash Seed])
+fi])
+
+if test "x$enable_rdrand" = "xyes"; then
+ AC_MSG_RESULT([RDRAND Hardware RNG Hash Seed enabled on supported x86/x64 platforms])
+else
+ AC_MSG_RESULT([RDRAND Hardware RNG Hash Seed disabled. Use --enable-rdrand to enable])
+fi
+
# Checks for programs.
AC_PROG_CC_STDC
AC_USE_SYSTEM_EXTENSIONS
@@ -27,7 +41,7 @@ AC_SYS_LARGEFILE
AC_CONFIG_HEADER(config.h)
AC_CONFIG_HEADER(json_config.h)
AC_HEADER_STDC
-AC_CHECK_HEADERS(fcntl.h limits.h strings.h syslog.h unistd.h [sys/cdefs.h] [sys/param.h] stdarg.h locale.h)
+AC_CHECK_HEADERS(fcntl.h limits.h strings.h syslog.h unistd.h [sys/cdefs.h] [sys/param.h] stdarg.h locale.h endian.h)
AC_CHECK_HEADER(inttypes.h,[AC_DEFINE([JSON_C_HAVE_INTTYPES_H],[1],[Public define for json_inttypes.h])])
# Checks for typedefs, structures, and compiler characteristics.
Index: json-c-0.11/json_object.h
===================================================================
--- json-c-0.11.orig/json_object.h
+++ json-c-0.11/json_object.h
@@ -13,6 +13,14 @@
#ifndef _json_object_h_
#define _json_object_h_
+#ifdef __GNUC__
+#define THIS_FUNCTION_IS_DEPRECATED(func) func __attribute__ ((deprecated))
+#elif defined(_MSC_VER)
+#define THIS_FUNCTION_IS_DEPRECATED(func) __declspec(deprecated) func
+#else
+#define THIS_FUNCTION_IS_DEPRECATED(func) func
+#endif
+
#include "json_inttypes.h"
#ifdef __cplusplus
@@ -260,8 +268,8 @@ extern void json_object_object_add(struc
* @returns the json_object associated with the given field name
* @deprecated Please use json_object_object_get_ex
*/
-extern struct json_object* json_object_object_get(struct json_object* obj,
- const char *key);
+THIS_FUNCTION_IS_DEPRECATED(extern struct json_object* json_object_object_get(struct json_object* obj,
+ const char *key));
/** Get the json_object associated with a given object field.
*
Index: json-c-0.11/json_tokener.c
===================================================================
--- json-c-0.11.orig/json_tokener.c
+++ json-c-0.11/json_tokener.c
@@ -69,6 +69,7 @@ const char* json_tokener_errors[] = {
"object value separator ',' expected",
"invalid string sequence",
"expected comment",
+ "buffer size overflow"
};
const char *json_tokener_error_desc(enum json_tokener_error jerr)
@@ -254,6 +255,16 @@ struct json_object* json_tokener_parse_e
tok->char_offset = 0;
tok->err = json_tokener_success;
+ /* this interface is presently not 64-bit clean due to the int len argument
+ and the internal printbuf interface that takes 32-bit int len arguments
+ so the function limits the maximum string size to INT32_MAX (2GB).
+ If the function is called with len == -1 then strlen is called to check
+ the string length is less than INT32_MAX (2GB) */
+ if ((len < -1) || (len == -1 && strlen(str) > INT32_MAX)) {
+ tok->err = json_tokener_error_size;
+ return NULL;
+ }
+
while (PEEK_CHAR(c, tok)) {
redo_char:
Index: json-c-0.11/json_tokener.h
===================================================================
--- json-c-0.11.orig/json_tokener.h
+++ json-c-0.11/json_tokener.h
@@ -33,7 +33,8 @@ enum json_tokener_error {
json_tokener_error_parse_object_key_sep,
json_tokener_error_parse_object_value_sep,
json_tokener_error_parse_string,
- json_tokener_error_parse_comment
+ json_tokener_error_parse_comment,
+ json_tokener_error_size
};
enum json_tokener_state {
@@ -170,6 +171,11 @@ extern void json_tokener_set_flags(struc
* responsible for calling json_tokener_parse_ex with an appropriate str
* parameter starting with the extra characters.
*
+ * This interface is presently not 64-bit clean due to the int len argument
+ * so the function limits the maximum string size to INT32_MAX (2GB).
+ * If the function is called with len == -1 then strlen is called to check
+ * the string length is less than INT32_MAX (2GB)
+ *
* Example:
* @code
json_object *jobj = NULL;
Index: json-c-0.11/linkhash.c
===================================================================
--- json-c-0.11.orig/linkhash.c
+++ json-c-0.11/linkhash.c
@@ -17,6 +17,11 @@
#include <stddef.h>
#include <limits.h>
+#ifdef HAVE_ENDIAN_H
+# include <endian.h> /* attempt to define endianness */
+#endif
+
+#include "random_seed.h"
#include "config.h"
#include "linkhash.h"
@@ -40,14 +45,378 @@ int lh_ptr_equal(const void *k1, const v
return (k1 == k2);
}
+/*
+ * hashlittle from lookup3.c, by Bob Jenkins, May 2006, Public Domain.
+ * http://burtleburtle.net/bob/c/lookup3.c
+ * minor modifications to make functions static so no symbols are exported
+ * minor mofifications to compile with -Werror
+ */
+
+/*
+-------------------------------------------------------------------------------
+lookup3.c, by Bob Jenkins, May 2006, Public Domain.
+
+These are functions for producing 32-bit hashes for hash table lookup.
+hashword(), hashlittle(), hashlittle2(), hashbig(), mix(), and final()
+are externally useful functions. Routines to test the hash are included
+if SELF_TEST is defined. You can use this free for any purpose. It's in
+the public domain. It has no warranty.
+
+You probably want to use hashlittle(). hashlittle() and hashbig()
+hash byte arrays. hashlittle() is is faster than hashbig() on
+little-endian machines. Intel and AMD are little-endian machines.
+On second thought, you probably want hashlittle2(), which is identical to
+hashlittle() except it returns two 32-bit hashes for the price of one.
+You could implement hashbig2() if you wanted but I haven't bothered here.
+
+If you want to find a hash of, say, exactly 7 integers, do
+ a = i1; b = i2; c = i3;
+ mix(a,b,c);
+ a += i4; b += i5; c += i6;
+ mix(a,b,c);
+ a += i7;
+ final(a,b,c);
+then use c as the hash value. If you have a variable length array of
+4-byte integers to hash, use hashword(). If you have a byte array (like
+a character string), use hashlittle(). If you have several byte arrays, or
+a mix of things, see the comments above hashlittle().
+
+Why is this so big? I read 12 bytes at a time into 3 4-byte integers,
+then mix those integers. This is fast (you can do a lot more thorough
+mixing with 12*3 instructions on 3 integers than you can with 3 instructions
+on 1 byte), but shoehorning those bytes into integers efficiently is messy.
+-------------------------------------------------------------------------------
+*/
+
+/*
+ * My best guess at if you are big-endian or little-endian. This may
+ * need adjustment.
+ */
+#if (defined(__BYTE_ORDER) && defined(__LITTLE_ENDIAN) && \
+ __BYTE_ORDER == __LITTLE_ENDIAN) || \
+ (defined(i386) || defined(__i386__) || defined(__i486__) || \
+ defined(__i586__) || defined(__i686__) || defined(vax) || defined(MIPSEL))
+# define HASH_LITTLE_ENDIAN 1
+# define HASH_BIG_ENDIAN 0
+#elif (defined(__BYTE_ORDER) && defined(__BIG_ENDIAN) && \
+ __BYTE_ORDER == __BIG_ENDIAN) || \
+ (defined(sparc) || defined(POWERPC) || defined(mc68000) || defined(sel))
+# define HASH_LITTLE_ENDIAN 0
+# define HASH_BIG_ENDIAN 1
+#else
+# define HASH_LITTLE_ENDIAN 0
+# define HASH_BIG_ENDIAN 0
+#endif
+
+#define hashsize(n) ((uint32_t)1<<(n))
+#define hashmask(n) (hashsize(n)-1)
+#define rot(x,k) (((x)<<(k)) | ((x)>>(32-(k))))
+
+/*
+-------------------------------------------------------------------------------
+mix -- mix 3 32-bit values reversibly.
+
+This is reversible, so any information in (a,b,c) before mix() is
+still in (a,b,c) after mix().
+
+If four pairs of (a,b,c) inputs are run through mix(), or through
+mix() in reverse, there are at least 32 bits of the output that
+are sometimes the same for one pair and different for another pair.
+This was tested for:
+* pairs that differed by one bit, by two bits, in any combination
+ of top bits of (a,b,c), or in any combination of bottom bits of
+ (a,b,c).
+* "differ" is defined as +, -, ^, or ~^. For + and -, I transformed
+ the output delta to a Gray code (a^(a>>1)) so a string of 1's (as
+ is commonly produced by subtraction) look like a single 1-bit
+ difference.
+* the base values were pseudorandom, all zero but one bit set, or
+ all zero plus a counter that starts at zero.
+
+Some k values for my "a-=c; a^=rot(c,k); c+=b;" arrangement that
+satisfy this are
+ 4 6 8 16 19 4
+ 9 15 3 18 27 15
+ 14 9 3 7 17 3
+Well, "9 15 3 18 27 15" didn't quite get 32 bits diffing
+for "differ" defined as + with a one-bit base and a two-bit delta. I
+used http://burtleburtle.net/bob/hash/avalanche.html to choose
+the operations, constants, and arrangements of the variables.
+
+This does not achieve avalanche. There are input bits of (a,b,c)
+that fail to affect some output bits of (a,b,c), especially of a. The
+most thoroughly mixed value is c, but it doesn't really even achieve
+avalanche in c.
+
+This allows some parallelism. Read-after-writes are good at doubling
+the number of bits affected, so the goal of mixing pulls in the opposite
+direction as the goal of parallelism. I did what I could. Rotates
+seem to cost as much as shifts on every machine I could lay my hands
+on, and rotates are much kinder to the top and bottom bits, so I used
+rotates.
+-------------------------------------------------------------------------------
+*/
+#define mix(a,b,c) \
+{ \
+ a -= c; a ^= rot(c, 4); c += b; \
+ b -= a; b ^= rot(a, 6); a += c; \
+ c -= b; c ^= rot(b, 8); b += a; \
+ a -= c; a ^= rot(c,16); c += b; \
+ b -= a; b ^= rot(a,19); a += c; \
+ c -= b; c ^= rot(b, 4); b += a; \
+}
+
+/*
+-------------------------------------------------------------------------------
+final -- final mixing of 3 32-bit values (a,b,c) into c
+
+Pairs of (a,b,c) values differing in only a few bits will usually
+produce values of c that look totally different. This was tested for
+* pairs that differed by one bit, by two bits, in any combination
+ of top bits of (a,b,c), or in any combination of bottom bits of
+ (a,b,c).
+* "differ" is defined as +, -, ^, or ~^. For + and -, I transformed
+ the output delta to a Gray code (a^(a>>1)) so a string of 1's (as
+ is commonly produced by subtraction) look like a single 1-bit
+ difference.
+* the base values were pseudorandom, all zero but one bit set, or
+ all zero plus a counter that starts at zero.
+
+These constants passed:
+ 14 11 25 16 4 14 24
+ 12 14 25 16 4 14 24
+and these came close:
+ 4 8 15 26 3 22 24
+ 10 8 15 26 3 22 24
+ 11 8 15 26 3 22 24
+-------------------------------------------------------------------------------
+*/
+#define final(a,b,c) \
+{ \
+ c ^= b; c -= rot(b,14); \
+ a ^= c; a -= rot(c,11); \
+ b ^= a; b -= rot(a,25); \
+ c ^= b; c -= rot(b,16); \
+ a ^= c; a -= rot(c,4); \
+ b ^= a; b -= rot(a,14); \
+ c ^= b; c -= rot(b,24); \
+}
+
+
+/*
+-------------------------------------------------------------------------------
+hashlittle() -- hash a variable-length key into a 32-bit value
+ k : the key (the unaligned variable-length array of bytes)
+ length : the length of the key, counting by bytes
+ initval : can be any 4-byte value
+Returns a 32-bit value. Every bit of the key affects every bit of
+the return value. Two keys differing by one or two bits will have
+totally different hash values.
+
+The best hash table sizes are powers of 2. There is no need to do
+mod a prime (mod is sooo slow!). If you need less than 32 bits,
+use a bitmask. For example, if you need only 10 bits, do
+ h = (h & hashmask(10));
+In which case, the hash table should have hashsize(10) elements.
+
+If you are hashing n strings (uint8_t **)k, do it like this:
+ for (i=0, h=0; i<n; ++i) h = hashlittle( k[i], len[i], h);
+
+By Bob Jenkins, 2006. bob_jenkins@burtleburtle.net. You may use this
+code any way you wish, private, educational, or commercial. It's free.
+
+Use for hash table lookup, or anything where one collision in 2^^32 is
+acceptable. Do NOT use for cryptographic purposes.
+-------------------------------------------------------------------------------
+*/
+
+static uint32_t hashlittle( const void *key, size_t length, uint32_t initval)
+{
+ uint32_t a,b,c; /* internal state */
+ union { const void *ptr; size_t i; } u; /* needed for Mac Powerbook G4 */
+
+ /* Set up the internal state */
+ a = b = c = 0xdeadbeef + ((uint32_t)length) + initval;
+
+ u.ptr = key;
+ if (HASH_LITTLE_ENDIAN && ((u.i & 0x3) == 0)) {
+ const uint32_t *k = (const uint32_t *)key; /* read 32-bit chunks */
+
+ /*------ all but last block: aligned reads and affect 32 bits of (a,b,c) */
+ while (length > 12)
+ {
+ a += k[0];
+ b += k[1];
+ c += k[2];
+ mix(a,b,c);
+ length -= 12;
+ k += 3;
+ }
+
+ /*----------------------------- handle the last (probably partial) block */
+ /*
+ * "k[2]&0xffffff" actually reads beyond the end of the string, but
+ * then masks off the part it's not allowed to read. Because the
+ * string is aligned, the masked-off tail is in the same word as the
+ * rest of the string. Every machine with memory protection I've seen
+ * does it on word boundaries, so is OK with this. But VALGRIND will
+ * still catch it and complain. The masking trick does make the hash
+ * noticably faster for short strings (like English words).
+ */
+#ifndef VALGRIND
+
+ switch(length)
+ {
+ case 12: c+=k[2]; b+=k[1]; a+=k[0]; break;
+ case 11: c+=k[2]&0xffffff; b+=k[1]; a+=k[0]; break;
+ case 10: c+=k[2]&0xffff; b+=k[1]; a+=k[0]; break;
+ case 9 : c+=k[2]&0xff; b+=k[1]; a+=k[0]; break;
+ case 8 : b+=k[1]; a+=k[0]; break;
+ case 7 : b+=k[1]&0xffffff; a+=k[0]; break;
+ case 6 : b+=k[1]&0xffff; a+=k[0]; break;
+ case 5 : b+=k[1]&0xff; a+=k[0]; break;
+ case 4 : a+=k[0]; break;
+ case 3 : a+=k[0]&0xffffff; break;
+ case 2 : a+=k[0]&0xffff; break;
+ case 1 : a+=k[0]&0xff; break;
+ case 0 : return c; /* zero length strings require no mixing */
+ }
+
+#else /* make valgrind happy */
+
+ const uint8_t *k8 = (const uint8_t *)k;
+ switch(length)
+ {
+ case 12: c+=k[2]; b+=k[1]; a+=k[0]; break;
+ case 11: c+=((uint32_t)k8[10])<<16; /* fall through */
+ case 10: c+=((uint32_t)k8[9])<<8; /* fall through */
+ case 9 : c+=k8[8]; /* fall through */
+ case 8 : b+=k[1]; a+=k[0]; break;
+ case 7 : b+=((uint32_t)k8[6])<<16; /* fall through */
+ case 6 : b+=((uint32_t)k8[5])<<8; /* fall through */
+ case 5 : b+=k8[4]; /* fall through */
+ case 4 : a+=k[0]; break;
+ case 3 : a+=((uint32_t)k8[2])<<16; /* fall through */
+ case 2 : a+=((uint32_t)k8[1])<<8; /* fall through */
+ case 1 : a+=k8[0]; break;
+ case 0 : return c;
+ }
+
+#endif /* !valgrind */
+
+ } else if (HASH_LITTLE_ENDIAN && ((u.i & 0x1) == 0)) {
+ const uint16_t *k = (const uint16_t *)key; /* read 16-bit chunks */
+ const uint8_t *k8;
+
+ /*--------------- all but last block: aligned reads and different mixing */
+ while (length > 12)
+ {
+ a += k[0] + (((uint32_t)k[1])<<16);
+ b += k[2] + (((uint32_t)k[3])<<16);
+ c += k[4] + (((uint32_t)k[5])<<16);
+ mix(a,b,c);
+ length -= 12;
+ k += 6;
+ }
+
+ /*----------------------------- handle the last (probably partial) block */
+ k8 = (const uint8_t *)k;
+ switch(length)
+ {
+ case 12: c+=k[4]+(((uint32_t)k[5])<<16);
+ b+=k[2]+(((uint32_t)k[3])<<16);
+ a+=k[0]+(((uint32_t)k[1])<<16);
+ break;
+ case 11: c+=((uint32_t)k8[10])<<16; /* fall through */
+ case 10: c+=k[4];
+ b+=k[2]+(((uint32_t)k[3])<<16);
+ a+=k[0]+(((uint32_t)k[1])<<16);
+ break;
+ case 9 : c+=k8[8]; /* fall through */
+ case 8 : b+=k[2]+(((uint32_t)k[3])<<16);
+ a+=k[0]+(((uint32_t)k[1])<<16);
+ break;
+ case 7 : b+=((uint32_t)k8[6])<<16; /* fall through */
+ case 6 : b+=k[2];
+ a+=k[0]+(((uint32_t)k[1])<<16);
+ break;
+ case 5 : b+=k8[4]; /* fall through */
+ case 4 : a+=k[0]+(((uint32_t)k[1])<<16);
+ break;
+ case 3 : a+=((uint32_t)k8[2])<<16; /* fall through */
+ case 2 : a+=k[0];
+ break;
+ case 1 : a+=k8[0];
+ break;
+ case 0 : return c; /* zero length requires no mixing */
+ }
+
+ } else { /* need to read the key one byte at a time */
+ const uint8_t *k = (const uint8_t *)key;
+
+ /*--------------- all but the last block: affect some 32 bits of (a,b,c) */
+ while (length > 12)
+ {
+ a += k[0];
+ a += ((uint32_t)k[1])<<8;
+ a += ((uint32_t)k[2])<<16;
+ a += ((uint32_t)k[3])<<24;
+ b += k[4];
+ b += ((uint32_t)k[5])<<8;
+ b += ((uint32_t)k[6])<<16;
+ b += ((uint32_t)k[7])<<24;
+ c += k[8];
+ c += ((uint32_t)k[9])<<8;
+ c += ((uint32_t)k[10])<<16;
+ c += ((uint32_t)k[11])<<24;
+ mix(a,b,c);
+ length -= 12;
+ k += 12;
+ }
+
+ /*-------------------------------- last block: affect all 32 bits of (c) */
+ switch(length) /* all the case statements fall through */
+ {
+ case 12: c+=((uint32_t)k[11])<<24;
+ case 11: c+=((uint32_t)k[10])<<16;
+ case 10: c+=((uint32_t)k[9])<<8;
+ case 9 : c+=k[8];
+ case 8 : b+=((uint32_t)k[7])<<24;
+ case 7 : b+=((uint32_t)k[6])<<16;
+ case 6 : b+=((uint32_t)k[5])<<8;
+ case 5 : b+=k[4];
+ case 4 : a+=((uint32_t)k[3])<<24;
+ case 3 : a+=((uint32_t)k[2])<<16;
+ case 2 : a+=((uint32_t)k[1])<<8;
+ case 1 : a+=k[0];
+ break;
+ case 0 : return c;
+ }
+ }
+
+ final(a,b,c);
+ return c;
+}
+
unsigned long lh_char_hash(const void *k)
{
- unsigned int h = 0;
- const char* data = (const char*)k;
-
- while( *data!=0 ) h = h*129 + (unsigned int)(*data++) + LH_PRIME;
+ static volatile int random_seed = -1;
+
+ if (random_seed == -1) {
+ int seed;
+ /* we can't use -1 as it is the unitialized sentinel */
+ while ((seed = json_c_get_random_seed()) == -1);
+#if defined __GNUC__
+ __sync_val_compare_and_swap(&random_seed, -1, seed);
+#elif defined _MSC_VER
+ InterlockedCompareExchange(&random_seed, seed, -1);
+#else
+#warning "racy random seed initializtion if used by multiple threads"
+ random_seed = seed; /* potentially racy */
+#endif
+ }
- return h;
+ return hashlittle((const char*)k, strlen((const char*)k), random_seed);
}
int lh_char_equal(const void *k1, const void *k2)
Index: json-c-0.11/linkhash.h
===================================================================
--- json-c-0.11.orig/linkhash.h
+++ json-c-0.11/linkhash.h
@@ -246,7 +246,7 @@ extern struct lh_entry* lh_table_lookup_
* @return a pointer to the found value or NULL if it does not exist.
* @deprecated Use lh_table_lookup_ex instead.
*/
-extern const void* lh_table_lookup(struct lh_table *t, const void *k);
+THIS_FUNCTION_IS_DEPRECATED(extern const void* lh_table_lookup(struct lh_table *t, const void *k));
/**
* Lookup a record in the table
Index: json-c-0.11/random_seed.c
===================================================================
--- /dev/null
+++ json-c-0.11/random_seed.c
@@ -0,0 +1,237 @@
+/*
+ * random_seed.c
+ *
+ * Copyright (c) 2013 Metaparadigm Pte. Ltd.
+ * Michael Clark <michael@metaparadigm.com>
+ *
+ * This library is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See COPYING for details.
+ *
+ */
+
+#include <stdio.h>
+#include "config.h"
+
+#define DEBUG_SEED(s)
+
+
+#if defined ENABLE_RDRAND
+
+/* cpuid */
+
+#if defined __GNUC__ && (defined __i386__ || defined __x86_64__)
+#define HAS_X86_CPUID 1
+
+static void do_cpuid(int regs[], int h)
+{
+ __asm__ __volatile__(
+#if defined __x86_64__
+ "pushq %%rbx;\n"
+#else
+ "pushl %%ebx;\n"
+#endif
+ "cpuid;\n"
+#if defined __x86_64__
+ "popq %%rbx;\n"
+#else
+ "popl %%ebx;\n"
+#endif
+ : "=a"(regs[0]), [ebx] "=r"(regs[1]), "=c"(regs[2]), "=d"(regs[3])
+ : "a"(h));
+}
+
+#elif defined _MSC_VER
+
+#define HAS_X86_CPUID 1
+#define do_cpuid __cpuid
+
+#endif
+
+/* has_rdrand */
+
+#if HAS_X86_CPUID
+
+static int has_rdrand()
+{
+ // CPUID.01H:ECX.RDRAND[bit 30] == 1
+ int regs[4];
+ do_cpuid(regs, 1);
+ return (regs[2] & (1 << 30)) != 0;
+}
+
+#endif
+
+/* get_rdrand_seed - GCC x86 and X64 */
+
+#if defined __GNUC__ && (defined __i386__ || defined __x86_64__)
+
+#define HAVE_RDRAND 1
+
+static int get_rdrand_seed()
+{
+ DEBUG_SEED("get_rdrand_seed");
+ int _eax;
+ // rdrand eax
+ __asm__ __volatile__("1: .byte 0x0F\n"
+ " .byte 0xC7\n"
+ " .byte 0xF0\n"
+ " jnc 1b;\n"
+ : "=a" (_eax));
+ return _eax;
+}
+
+#endif
+
+#if defined _MSC_VER
+
+#if _MSC_VER >= 1700
+#define HAVE_RDRAND 1
+
+/* get_rdrand_seed - Visual Studio 2012 and above */
+
+static int get_rdrand_seed()
+{
+ DEBUG_SEED("get_rdrand_seed");
+ int r;
+ while (_rdrand32_step(&r) == 0);
+ return r;
+}
+
+#elif defined _M_IX86
+#define HAVE_RDRAND 1
+
+/* get_rdrand_seed - Visual Studio 2010 and below - x86 only */
+
+static int get_rdrand_seed()
+{
+ DEBUG_SEED("get_rdrand_seed");
+ int _eax;
+retry:
+ // rdrand eax
+ __asm _emit 0x0F __asm _emit 0xC7 __asm _emit 0xF0
+ __asm jnc retry
+ __asm mov _eax, eax
+ return _eax;
+}
+
+#endif
+#endif
+
+#endif /* defined ENABLE_RDRAND */
+
+
+/* has_dev_urandom */
+
+#if defined (__APPLE__) || defined(__unix__) || defined(__linux__)
+
+#include <string.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+
+#define HAVE_DEV_RANDOM 1
+
+static const char *dev_random_file = "/dev/urandom";
+
+static int has_dev_urandom()
+{
+ struct stat buf;
+ if (stat(dev_random_file, &buf)) {
+ return 0;
+ }
+ return ((buf.st_mode & S_IFCHR) != 0);
+}
+
+
+/* get_dev_random_seed */
+
+static int get_dev_random_seed()
+{
+ DEBUG_SEED("get_dev_random_seed");
+
+ int fd = open(dev_random_file, O_RDONLY);
+ if (fd < 0) {
+ fprintf(stderr, "error opening %s: %s", dev_random_file, strerror(errno));
+ exit(1);
+ }
+
+ int r;
+ ssize_t nread = read(fd, &r, sizeof(r));
+ if (nread != sizeof(r)) {
+ fprintf(stderr, "error read %s: %s", dev_random_file, strerror(errno));
+ exit(1);
+ }
+ else if (nread != sizeof(r)) {
+ fprintf(stderr, "error short read %s", dev_random_file);
+ exit(1);
+ }
+ close(fd);
+ return r;
+}
+
+#endif
+
+
+/* get_cryptgenrandom_seed */
+
+#ifdef WIN32
+
+#define HAVE_CRYPTGENRANDOM 1
+
+#include <windows.h>
+#pragma comment(lib, "advapi32.lib")
+
+static int get_cryptgenrandom_seed()
+{
+ DEBUG_SEED("get_cryptgenrandom_seed");
+
+ HCRYPTPROV hProvider = 0;
+ int r;
+
+ if (!CryptAcquireContextW(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) {
+ fprintf(stderr, "error CryptAcquireContextW");
+ exit(1);
+ }
+
+ if (!CryptGenRandom(hProvider, sizeof(r), (BYTE*)&r)) {
+ fprintf(stderr, "error CryptGenRandom");
+ exit(1);
+ }
+
+ CryptReleaseContext(hProvider, 0);
+
+ return r;
+}
+
+#endif
+
+
+/* get_time_seed */
+
+#include <time.h>
+
+static int get_time_seed()
+{
+ DEBUG_SEED("get_time_seed");
+
+ return (int)time(NULL) * 433494437;
+}
+
+
+/* json_c_get_random_seed */
+
+int json_c_get_random_seed()
+{
+#if HAVE_RDRAND
+ if (has_rdrand()) return get_rdrand_seed();
+#endif
+#if HAVE_DEV_RANDOM
+ if (has_dev_urandom()) return get_dev_random_seed();
+#endif
+#if HAVE_CRYPTGENRANDOM
+ return get_cryptgenrandom_seed();
+#endif
+ return get_time_seed();
+}
Index: json-c-0.11/random_seed.h
===================================================================
--- /dev/null
+++ json-c-0.11/random_seed.h
@@ -0,0 +1,25 @@
+/*
+ * random_seed.h
+ *
+ * Copyright (c) 2013 Metaparadigm Pte. Ltd.
+ * Michael Clark <michael@metaparadigm.com>
+ *
+ * This library is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See COPYING for details.
+ *
+ */
+
+#ifndef seed_h
+#define seed_h
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+extern int json_c_get_random_seed();
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

59
json-c-lfs.patch
View File

@ -1,59 +0,0 @@
--- a/configure.in 2013-04-01 04:30:51.000000000 +0200
+++ b/configure.in 2014-01-06 13:14:22.551626326 +0100
@@ -1,7 +1,7 @@
AC_PREREQ(2.52)
# Process this file with autoconf to produce a configure script.
-AC_INIT([json-c], 0.11, [json-c@googlegroups.com])
+AC_INIT([json-c], [0.11], [json-c@googlegroups.com])
AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
@@ -16,6 +16,10 @@
AM_CONDITIONAL(ENABLE_OLDNAME_COMPAT, [test "x${enable_oldname_compat}" != "xno"])
# Checks for programs.
+AC_PROG_CC_STDC
+AC_USE_SYSTEM_EXTENSIONS
+AC_SYS_LARGEFILE
+
# Checks for libraries.
--- a/linkhash.c 2013-04-01 04:01:09.000000000 +0200
+++ b/linkhash.c 2014-01-06 13:10:22.077585077 +0100
@@ -17,6 +17,7 @@
#include <stddef.h>
#include <limits.h>
+#include "config.h"
#include "linkhash.h"
void lh_abort(const char *msg, ...)
--- a/Makefile.am.inc 2013-04-01 04:01:09.000000000 +0200
+++ b/Makefile.am.inc 2014-01-06 13:12:32.199360740 +0100
@@ -1,2 +1,2 @@
-AM_CFLAGS = -Wall -Werror -Wextra -Wwrite-strings -Wno-unused-parameter -std=gnu99 -D_GNU_SOURCE -D_REENTRANT
+AM_CFLAGS = -Wall -Wextra -Wwrite-strings -Wno-unused-parameter -D_REENTRANT
--- a/tests/test1.c 2013-04-01 04:01:09.000000000 +0200
+++ b/tests/test1.c 2014-01-06 13:10:22.077585077 +0100
@@ -1,3 +1,4 @@
+#include "config.h"
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
--- a/tests/test2.c 2013-04-01 04:01:09.000000000 +0200
+++ b/tests/test2.c 2014-01-06 13:10:22.077585077 +0100
@@ -1,3 +1,4 @@
+#include "config.h"
#include <stdio.h>
#include <stdlib.h>
#include <stddef.h>
--- a/tests/test_printbuf.c 2013-04-01 04:01:09.000000000 +0200
+++ b/tests/test_printbuf.c 2014-01-06 13:10:22.078585055 +0100
@@ -1,3 +1,4 @@
+#include "config.h"
#include <assert.h>
#include <stddef.h>
#include <stdio.h>

39
json-c.changes
View File

@ -1,3 +1,42 @@
-------------------------------------------------------------------
Sat Sep 20 12:07:25 UTC 2014 - andreas.stieger@gmx.de
- json-c 0.12
Fixes for security issues contained in this release have been
previously patched into this package, but listed for completeness:
* Address security issues:
* CVE-2013-6371: hash collision denial of service
* CVE-2013-6370: buffer overflow if size_t is larger than int
- Further changes:
* Avoid potential overflow in json_object_get_double
* Eliminate the mc_abort() function and MC_ABORT macro.
* Make the json_tokener_errors array local. It has been deprecated for
a while, and json_tokener_error_desc() should be used instead.
* change the floating point output format to %.17g so values with
more than 6 digits show up in the output.
* Remove the old libjson.so name compatibility support. The library is
only created as libjson-c.so now and headers are only installed
into the ${prefix}/json-c directory.
* When supported by the linker, add the -Bsymbolic-functions flag.
* Make strict mode more strict:
* number must not start with 0
* no single-quote strings
* no comments
* trailing char not allowed
* only allow lowercase literals
* Added a json_object_new_double_s() convenience function to allow
an exact string representation of a double to be specified when
creating the object and use it in json_tokener_parse_ex() so
a re-serialized object more exactly matches the input.
* Add support NaN and Infinity
- packaging changes:
* json-c-hash-dos-and-overflow-random-seed-4e.patch is upstream
* Move from json-c-lfs.patch which removed warning errors and
autoconf call to json-c-0.12-unused_variable_size.patch from
upstream which fixes the warning
* except for SLE 11 where autoreconf call is required
* add licence file to main package
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Apr 7 12:22:58 UTC 2014 - idonmez@suse.com Mon Apr 7 12:22:58 UTC 2014 - idonmez@suse.com

28
json-c.spec
View File

@ -19,23 +19,20 @@
%define libname libjson-c %define libname libjson-c
%define libsoname %{libname}2 %define libsoname %{libname}2
%define oldlibname libjson %define oldlibname libjson
Name: json-c Name: json-c
Version: 0.12
Release: 0
Summary: JSON implementation in C Summary: JSON implementation in C
License: MIT License: MIT
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Version: 0.11
Release: 0
Url: https://github.com/json-c/json-c/wiki Url: https://github.com/json-c/json-c/wiki
#Git-Clone git://github.com/json-c/json-c #Git-Clone git://github.com/json-c/json-c
Source0: https://s3.amazonaws.com/json-c_releases/releases/%{name}-%{version}.tar.gz Source0: https://s3.amazonaws.com/json-c_releases/releases/%{name}-%{version}.tar.gz
Source1: baselibs.conf Source1: baselibs.conf
Patch0: %{name}-lfs.patch Patch0: json-c-0.12-unused_variable_size.patch
Patch1: %{name}-hash-dos-and-overflow-random-seed-4e.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildRequires: libtool BuildRequires: libtool
BuildRequires: pkg-config BuildRequires: pkg-config
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
JSON-C implements a reference counting object model that allows you to JSON-C implements a reference counting object model that allows you to
@ -76,7 +73,7 @@ Summary: Documentation files
Group: Documentation/Other Group: Documentation/Other
Provides: %{oldlibname}-doc = %{version} Provides: %{oldlibname}-doc = %{version}
Obsoletes: %{oldlibname}-doc < %{version} Obsoletes: %{oldlibname}-doc < %{version}
%if 0%{suse_version} >= 1120 %if 0%{?suse_version} >= 1120
BuildArch: noarch BuildArch: noarch
%endif %endif
@ -91,21 +88,23 @@ This package includes the json-c documentation.
%prep %prep
%setup -q %setup -q
%patch0 -p1 %patch0 -p1
%patch1 -p1
%build %build
%if 0%{?suse_version} <= 1110
sed -i 's/-Werror //g' Makefile.am.inc
autoreconf -fiv autoreconf -fiv
%endif
%configure --disable-static --with-pic --disable-oldname-compat %configure --disable-static --with-pic --disable-oldname-compat
%{__make} %{?_smp_mflags} make %{?_smp_mflags}
%check %check
%{__make} %{?_smp_mflags} check make %{?_smp_mflags} check
%install %install
%makeinstall DESTDIR=$RPM_BUILD_ROOT libdir=%{_libdir} mandir=%{_mandir} make DESTDIR=%{buildroot} install %{?_smp_mflags} DESTDIR=%{buildroot} libdir=%{_libdir} mandir=%{_mandir}
rm -Rf "%buildroot/%_libdir"/*.la find %{buildroot} -type f -name "*.la" -delete -print
# create a compatibilty pkg-config file for software needing it # create a compatibilty pkg-config file for software needing it
(cd $RPM_BUILD_ROOT%{_libdir}/pkgconfig && ln -s json-c.pc json.pc) (cd %{buildroot}%{_libdir}/pkgconfig && ln -s json-c.pc json.pc)
%post -n %{libsoname} -p /sbin/ldconfig %post -n %{libsoname} -p /sbin/ldconfig
@ -114,6 +113,7 @@ rm -Rf "%buildroot/%_libdir"/*.la
%files -n %{libsoname} %files -n %{libsoname}
%defattr(-,root,root) %defattr(-,root,root)
%{_libdir}/%{libname}.so.* %{_libdir}/%{libname}.so.*
%doc COPYING
%files -n %{libname}-devel %files -n %{libname}-devel
%defattr(-,root,root) %defattr(-,root,root)