Control: tags -1 patch
I am uploading the attached changes as NMU.
diff -Nru rapidjson-1.1.0+dfsg2/debian/changelog rapidjson-1.1.0+dfsg2/debian/changelog --- rapidjson-1.1.0+dfsg2/debian/changelog 2024-07-26 13:03:47.000000000 +0200 +++ rapidjson-1.1.0+dfsg2/debian/changelog 2025-04-25 10:11:59.000000000 +0200 @@ -1,3 +1,10 @@ +rapidjson (1.1.0+dfsg2-7.4) unstable; urgency=medium + + * Non-maintainer upload. + * Fix CVE-2024-38517 with upstream patch. (Closes: #1083185) + + -- Bastian Germann <b...@debian.org> Fri, 25 Apr 2025 10:12:00 +0200 + rapidjson (1.1.0+dfsg2-7.3) unstable; urgency=medium * Non-maintainer upload. diff -Nru rapidjson-1.1.0+dfsg2/debian/patches/CVE-2024-38517.patch rapidjson-1.1.0+dfsg2/debian/patches/CVE-2024-38517.patch --- rapidjson-1.1.0+dfsg2/debian/patches/CVE-2024-38517.patch 1970-01-01 01:00:00.000000000 +0100 +++ rapidjson-1.1.0+dfsg2/debian/patches/CVE-2024-38517.patch 2025-04-25 10:05:00.000000000 +0200 @@ -0,0 +1,56 @@ +Origin: upstream, 8269bc2bc289e9d343bae51cdf6d23ef0950e001 +From: Florin Malita <fmal...@gmail.com> +Date: Tue, 15 May 2018 22:48:07 -0400 +Subject: Prevent int underflow when parsing exponents + +When parsing negative exponents, the current implementation takes +precautions for |exp| to not underflow int. + +But that is not sufficient: later on [1], |exp + expFrac| is also +stored to an int - so we must ensure that the sum stays within int +representable values. + +Update the exp clamping logic to take expFrac into account. + +[1] https://github.com/Tencent/rapidjson/blob/master/include/rapidjson/reader.h#L1690 +--- + include/rapidjson/reader.h | 11 ++++++++++- + test/unittest/readertest.cpp | 1 + + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/include/rapidjson/reader.h b/include/rapidjson/reader.h +index 7441eda4a..f95aef425 100644 +--- a/include/rapidjson/reader.h ++++ b/include/rapidjson/reader.h +@@ -1632,9 +1632,18 @@ class GenericReader { + if (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) { + exp = static_cast<int>(s.Take() - '0'); + if (expMinus) { ++ // (exp + expFrac) must not underflow int => we're detecting when -exp gets ++ // dangerously close to INT_MIN (a pessimistic next digit 9 would push it into ++ // underflow territory): ++ // ++ // -(exp * 10 + 9) + expFrac >= INT_MIN ++ // <=> exp <= (expFrac - INT_MIN - 9) / 10 ++ RAPIDJSON_ASSERT(expFrac <= 0); ++ int maxExp = (expFrac + 2147483639) / 10; ++ + while (RAPIDJSON_LIKELY(s.Peek() >= '0' && s.Peek() <= '9')) { + exp = exp * 10 + static_cast<int>(s.Take() - '0'); +- if (exp >= 214748364) { // Issue #313: prevent overflow exponent ++ if (RAPIDJSON_UNLIKELY(exp > maxExp)) { + while (RAPIDJSON_UNLIKELY(s.Peek() >= '0' && s.Peek() <= '9')) // Consume the rest of exponent + s.Take(); + } +diff --git a/test/unittest/readertest.cpp b/test/unittest/readertest.cpp +index e5308019d..c4800b936 100644 +--- a/test/unittest/readertest.cpp ++++ b/test/unittest/readertest.cpp +@@ -242,6 +242,7 @@ static void TestParseDouble() { + TEST_DOUBLE(fullPrecision, "1e-214748363", 0.0); // Maximum supported negative exponent + TEST_DOUBLE(fullPrecision, "1e-214748364", 0.0); + TEST_DOUBLE(fullPrecision, "1e-21474836311", 0.0); ++ TEST_DOUBLE(fullPrecision, "1.00000000001e-2147483638", 0.0); + TEST_DOUBLE(fullPrecision, "0.017976931348623157e+310", 1.7976931348623157e+308); // Max double in another form + + // Since diff -Nru rapidjson-1.1.0+dfsg2/debian/patches/series rapidjson-1.1.0+dfsg2/debian/patches/series --- rapidjson-1.1.0+dfsg2/debian/patches/series 2024-07-26 13:03:47.000000000 +0200 +++ rapidjson-1.1.0+dfsg2/debian/patches/series 2025-04-25 10:05:52.000000000 +0200 @@ -20,3 +20,4 @@ 0001-Fix-recursive-operator-call-in-C-20-1846.patch 0001-gate-definition-of-symmetric-equality-operators-on-i.patch 0001-do-not-define-operator-in-C-20.patch +CVE-2024-38517.patch
