From d86ebd42ff070c051d2dd9bf67cfee81fd3b02ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Thu, 14 Dec 2017 18:54:42 +0100 Subject: [PATCH] Update patch fixing a segfault caused by possible invalid frees --- ...-0.13_json_object_avoid_invalid_free.patch | 32 +++++++++---------- json-c.spec | 5 ++- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/json-c-0.13_json_object_avoid_invalid_free.patch b/json-c-0.13_json_object_avoid_invalid_free.patch index 5aefc5c..e266a3b 100644 --- a/json-c-0.13_json_object_avoid_invalid_free.patch +++ b/json-c-0.13_json_object_avoid_invalid_free.patch @@ -1,26 +1,26 @@ -From 1c1c14271eadeb35dc2fb38e199bde2e90ff4ea3 Mon Sep 17 00:00:00 2001 +From 9aca3b6a087a396a81d7e26f4557eb97fecc1386 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Esser?= Date: Wed, 13 Dec 2017 19:22:52 +0100 -Subject: [PATCH] json_object: Avoid double free (and thus a segfault) when +Subject: [PATCH] json_object: Avoid invalid free (and thus a segfault) when ref_count gets < 0 --- - json_object.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + json_object.c | 5 +++++ + 1 file changed, 5 insertions(+) diff --git a/json_object.c b/json_object.c -index 042477a71b..b94b9e222a 100644 +index 042477a71b..7c7438d8ea 100644 --- a/json_object.c +++ b/json_object.c -@@ -189,9 +189,9 @@ int json_object_put(struct json_object *jso) - * as that can result in the thread that loses the race to 0 - * operating on an already-freed object. - */ -- if (__sync_sub_and_fetch(&jso->_ref_count, 1) > 0) return 0; -+ if (__sync_sub_and_fetch(&jso->_ref_count, 1) != 0) return 0; - #else -- if (--jso->_ref_count > 0) return 0; -+ if (--jso->_ref_count != 0) return 0; - #endif +@@ -182,6 +182,11 @@ int json_object_put(struct json_object *jso) + { + if(!jso) return 0; - if (jso->_user_delete) ++ /* Avoid invalid free and crash explicitly instead of (silently) ++ * segfaulting. ++ */ ++ assert(jso->_ref_count > 0); ++ + #if defined(HAVE_ATOMIC_BUILTINS) && defined(ENABLE_THREADING) + /* Note: this only allow the refcount to remain correct + * when multiple threads are adjusting it. It is still an error diff --git a/json-c.spec b/json-c.spec index 04452da..f6024b2 100644 --- a/json-c.spec +++ b/json-c.spec @@ -16,7 +16,7 @@ Name: json-c Version: 0.13 -Release: 4%{?dist} +Release: 5%{?dist} Summary: JSON implementation in C License: MIT @@ -176,6 +176,9 @@ end %changelog +* Thu Dec 14 2017 Björn Esser - 0.13-5 +- Update patch fixing a segfault caused by possible invalid frees + * Wed Dec 13 2017 Björn Esser - 0.13-4 - Add upstream patch fixing invalid free in some cases