Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expected timeline for new release #603

Closed
shubhamkulkarni97 opened this issue Jul 28, 2021 · 9 comments
Closed

Expected timeline for new release #603

shubhamkulkarni97 opened this issue Jul 28, 2021 · 9 comments

Comments

@shubhamkulkarni97
Copy link

Hi, NULL pointer crash is observed in the latest release of cJSON.
This issue was fixed by #538. However, this fix is a part of master branch and not a part of any release.

This issue is observed in context of Espressif's ESP-IDF framework: espressif/esp-idf#7317
We prefer stable release for all upstream libraries and since there is no release of cJSON for a long time, this issue is observed.

Could you please share expected timeline for new official release?

Thanks,
Shubham
@Alanscut
Copy link
Collaborator

Hi, Shubham,

Does #538 have solved the issue in esp-idf? if so, I will make a new release in next week.
IMO, #538 is just a security enhancement, the issue of #536 will not be triggered if we use cJSON in a right way.

Alan

@shubhamkulkarni97
Copy link
Author

Hi @Alanscut, thanks for prompt response.

You are indeed correct that the issue will not be triggered if we use cJSON in a right way. However, it would be great to address this issue as a security enhancement.

It would be really helpful if you could make a new release.

Thanks,
Shubham

@schmidtw
Copy link

@Alanscut There are several outstanding PRs that look like good wins. Can we get at least a few of them up for consideration in this release?

Examples:

@Alanscut
Copy link
Collaborator

Hi @schmidtw, I'm sorry for the delayed reply, a lot of real stuffs ocuppied me lately, I'll take a closer look when I get free.

@AxelLin
Copy link

AxelLin commented Jul 31, 2021

Hi, Shubham,

Does #538 have solved the issue in esp-idf? if so, I will make a new release in next week.
IMO, #538 is just a security enhancement, the issue of #536 will not be triggered if we use cJSON in a right way.

Alan

Hi, @Alanscut

Is it valid to call cJSON_CreateIntArray, cJSON_CreateFloatArray, cJSON_CreateDoubleArray, cJSON_CreateStringArray with count = 0?

Current code implies it's valid to call count = 0 in above functions because it does not return NULL.
If it's indeed valid in such case, a new release is required. (older version of cJSON does not hit NULL ptr dereference if count == 0)
If it's not valid, the code checking count argument should change to if (count <= 0) instead.

@Alanscut
Copy link
Collaborator

Hi, @AxelLin

Thank you for pointing the validity of count = 0. Although I think it makes no sense to pass count = 0 to cJSON_CreatXxxArray, I have to admit that it is really valid in cJSON before v1.7.14, and I shouldn't change the behavior in the next version, so a new version will be released in next days.

Alan

@AxelLin
Copy link

AxelLin commented Aug 11, 2021

so a new version will be released in next days.

@Alanscut
Any update?

@AxelLin
Copy link

AxelLin commented Aug 23, 2021

@Alanscut
Any update for new version release?

@Alanscut
Copy link
Collaborator

Alanscut commented Aug 25, 2021
edited
Loading

@AxelLin 1.7.15 released. I'm sorry for the late release, I have been trapped by an important thing in the last two weeks, and now I can finally take a breath 😌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AxelLin @schmidtw @Alanscut @shubhamkulkarni97