- Add NULL check to cJSON_SetValuestring()(CVE-2024-31755), see #839 and #840
- Remove non-functional list handling of compiler flags, see #851
- Fix heap buffer overflow, see #852
- remove misused optimization flag -01, see #854
- Set free'd pointers to NULL whenever they are not reassigned immediately after, see #855 and #833
- Fix null reference in cJSON_SetValuestring(CVE-2023-50472), see #809
- Fix null reference in cJSON_InsertItemInArray(CVE-2023-50471), see #809 and #810
- Add an option for ENABLE_CJSON_VERSION_SO in CMakeLists.txt, see #534
- Add cmake_policy to CMakeLists.txt, see #163
- Add cJSON_SetBoolValue, see #639
- Add meson documentation, see #761
- Fix memory leak in merge_patch, see #611
- Fix conflicting target names 'uninstall', see #617
- Bump cmake version to 3.0 and use new version syntax, see #587
- Print int without decimal places, see #630
- Fix 'cjson_utils-static' target not exist, see #625
- Add allocate check for replace_item_in_object, see #675
- Fix a null pointer crash in cJSON_ReplaceItemViaPointer, see #726
- Fix potential core dumped for strrchr, see #546
- Fix null pointer crash in cJSON_CreateXxArray, see #538
- Fix several null pointer problems on allocation failure, see #526
- Fix a possible dereference of null pointer, see #519
- Fix windows build failure about defining nan, see #518
- optimize the way to find tail node, see #503
- Fix WError error on macosx because NAN is a float. Thanks @sappo, see #484
- Fix some bugs in detach and replace. Thanks @miaoerduo, see #456
- add new API of cJSON_ParseWithLength without breaking changes. Thanks @caglarivriz, see #358
- add new API of cJSON_GetNumberValue. Thanks @Intuition, see#385
- add uninstall target function for CMake. See #402
- Improve performance of adding item to array. Thanks @xiaomianhehe, see #430, #448
- add new API of cJSON_SetValuestring, for changing the valuestring safely. See #451
- add return value for cJSON_AddItemTo... and cJSON_ReplaceItem... (check if the operation successful). See #453
- Fix clang -Wfloat-equal warning. Thanks @paulmalovanyi, see #368
- Fix make failed in mac os. See #405
- Fix memory leak in cJSONUtils_FindPointerFromObjectTo. Thanks @andywolk for reporting, see #414
- Fix bug in encode_string_as_pointer. Thanks @AIChangJiang for reporting, see #439
- Fix infinite loop in
cJSON_Minify
(potential Denial of Service). Thanks @Alanscut for reporting, see #354 - Fix link error for Visual Studio. Thanks @tan-wei, see #352.
- Undefine
true
andfalse
forcJSON_Utils
before redefining them. Thanks @raiden00pl, see #347.
- Fix a bug where cJSON_Minify could overflow it's buffer, both reading and writing. This is a security issue, see #338. Big thanks @bigric3 for reporting.
- Unset
true
andfalse
macros before setting them if they exist. See #339, thanks @raiden00pl for reporting
- Fix package config file for
libcjson
. Thanks @shiluotang for reporting #321 - Correctly split lists in
cJSON_Utils
's merge sort. Thanks @andysCaplin for the fix #322
- Fix a bug where
cJSON_GetObjectItemCaseSensitive
would pass a nullpointer tostrcmp
when called on an array, see #315. Thanks @yuweol for reporting. - Fix error in
cJSON_Utils
where the case sensitivity was not respected, see #317. Thanks @yuta-oxo for fixing. - Fix some warnings detected by the Visual Studio Static Analyzer, see #307. Thanks @bnason-nf
- cJSON now works with the
__stdcall
calling convention on Windows, see #295, thanks @zhindes for contributing
- Fix a memory leak when realloc fails, see #267, thanks @AlfieDeng for reporting
- Fix a typo in the header file, see #266, thanks @zhaozhixu
- Add
SONAME
to the ELF files built by the Makefile, see #252, thanks @YanhaoMo for reporting - Add include guards and
extern "C"
tocJSON_Utils.h
, see #256, thanks @daschfg for reporting
Other changes:
- Mark the Makefile as deprecated in the README.
- Fix a bug in the JSON Patch implementation of
cJSON Utils
, see #251, thanks @bobkocisko.
- Fix potential use after free if the
string
parameter tocJSON_AddItemToObject
is an alias of thestring
property of the object that is added,see #248. Thanks @hhallen for reporting.
- Fix potential double free, thanks @projectgus for reporting #241
- Fix the use of GNUInstallDirs variables and the pkgconfig file. Thanks @zeerd for reporting #240
- Fixed an Off-By-One error that could lead to an out of bounds write. Thanks @liuyunbin for reporting #230
- Fixed two errors with buffered printing. Thanks @liuyunbin for reporting #230
- Large rewrite of the documentation, see #215
- Added the
cJSON_GetStringValue
function - Added the
cJSON_CreateStringReference
function - Added the
cJSON_CreateArrayReference
function - Added the
cJSON_CreateObjectReference
function - The
cJSON_Add...ToObject
macros are now functions that return a pointer to the added item, see #226
- Fix a problem with
GNUInstallDirs
in the CMakeLists.txt, thanks @yangfl, see #210 - Fix linking the tests when building as static library, see #213
- New overrides for the CMake option
BUILD_SHARED_LIBS
, see #207
- Readme: Explain how to include cJSON, see #211
- Removed some trailing spaces in the code, thanks @yangfl, see #212
- Updated Unity and json-patch-tests
- You can now build cJSON as both shared and static library at once with CMake using
-DBUILD_SHARED_AND_STATIC_LIBS=On
, see #178 - UTF-8 byte order marks are now ignored, see #184
- Locales can now be disabled with the option
-DENABLE_LOCALES=Off
, see #202, thanks @Casperinous - Better support for MSVC and Visual Studio
- Add the new warnings
-Wswitch-enum
,-Wused-but-makred-unused
,-Wmissing-variable-declarations
,-Wunused-macro
- More number printing tests.
- Continuous integration testing with AppVeyor (semi automatic at this point), thanks @simon-p-r
- Set the global error pointer even if
return_parse_end
is passed tocJSON_ParseWithOpts
, see #200, thanks @rmallins
- Fix
make test
in the Makefile, thanks @YanhaoMo for reporting this #195
- Fix a bug where realloc failing would return a pointer to an invalid memory address. This is a security issue as it could potentially be used by an attacker to write to arbitrary memory addresses, see #189, fixed in 954d61e, big thanks @timothyjohncarney for reporting this issue
- Fix a spelling mistake in the AFL fuzzer dictionary, see #185, thanks @jwilk
- Make cJSON a lot more tolerant about passing NULL pointers to its functions, it should now fail safely instead of dereferencing the pointer, see #183. Thanks @msichal for reporting #182
- Fix pointers to nested arrays in cJSON_Utils, see 9abe
- Fix an error with case sensitivity handling in cJSON_Utils, see b9cc911
- Fix cJSON_Compare for arrays that are prefixes of the other and objects that are a subset of the other, see 03ba72f and #180, thanks @zhengqb for reporting
- Fix build with GCC 7.1.1 and optimization level
-O2
, see bfbd8fe
- Update Unity to 3b69beaa58efc41bbbef70a32a46893cae02719d
- Fix
cJSON_ReplaceItemInObject
not keeping the name of an item, see #174
- Fix a reading buffer overflow in
parse_string
, see a167d9e - Fix compiling with -Wcomma, see 186cce3
- Remove leftover attribute from tests, see b537ca7
- Add gcc version guard to the Makefile, see #164, thanks @juvasquezg
- Fix incorrect free in
cJSON_Utils
if custom memory allocator is used, see #166, thanks @prefetchnta
Features:
- cJSON finally prints numbers without losing precision, see #153, thanks @DeboraG
cJSON_Compare
recursively checks if two cJSON items contain the same values, see #148- Provide case sensitive versions of every function where it matters, see #158 and #159
- Added
cJSON_ReplaceItemViaPointer
andcJSON_DetachItemViaPointer
- Added
cJSON_free
andcJSON_malloc
that expose the internal configured memory allocators. see 02a05ee
- Parse into a buffer, this will allow parsing
\u0000
in the future (not quite yet though) - General simplifications and readability improvements
- More unit tests
- Update unity testing library to 2.4.1
- Add the json-patch-tests test suite to test cJSON_Utils.
- Move all tests from
test_utils.c
to unit tests with unity.
- Fix some warnings with the Microsoft compiler, see #139, thanks @PawelWMS
- Fix several bugs in cJSON_Utils, mostly found with json-patch-tests
- Prevent a stack overflow by specifying a maximum nesting depth
CJSON_NESTING_LIMIT
- Move generated files in the
library_config
subdirectory.
- Fix
cJSONUtils_ApplyPatches
, it was completely broken and apparently nobody noticed (or at least reported it), see 075a06f - Fix inconsistent prototype for
cJSON_GetObjectItemCaseSensitive
, see 51d3df6, thanks @PawelWMS
- Several corrections in the README
- Making clear that
valueint
should not be written to - Fix overflow detection in
ensure
, see 2683d4d - Fix a potential null pointer dereference in cJSON_Utils, see 795c3ac
- Replace incorrect
sizeof('\0')
withsizeof("")
, see 84237ff - Add caveats section to the README, see 50b3c30
- Make cJSON locale independent, see #146, Thanks @peterh for reporting
- Fix compiling without CMake with MSVC, see #147, Thanks @dertuxmalwieder for reporting
- Fix bug in
cJSON_SetNumberHelper
, thanks @mmkeeper, see #138 and ef34500 - Workaround for internal compiler error in GCC 5.4.0 and 6.3.1 on x86 (2f65e80a3471d053fdc3f8aed23d01dd1782a5cb GCC bugreport)
- Fix a theoretical integer overflow, (not sure if it is possible on actual hardware), see e58f7ec
- Fix an off by one error, see cc84a44, thanks @gatzka
- Double check the offset of the print buffer in
ensure
, see 1934059
Improvements:
- Add a note in the header about required buffer size when using
cJSON_PrintPreallocated
, see 4bfb8800
- Fix compilation of the tests on 32 bit PowerPC and potentially other systems, see 4ec6e76
- Fix compilation with old GCC compilers (4.3+ were tested), see 227d33, 466eb8e, see also #126
- Fix minimum required cmake version, see 30e1e7a
- Fix detection of supported compiler flags, see 76e5296
- Run
cJSON_test
andcJSON_test_utils
along with unity tests, see c597601
- Make
print_number
abort with a failure in out of memory situations, see cf1842
- Functions to check the type of an item, see #120
- Use dllexport on windows and fvisibility on Unix systems for public functions, see #116, thanks @mjerris
- Remove trailing zeroes from printed numbers, see #123
- Expose the internal boolean type
cJSON_bool
in the header, see 2d3520e
Fixes
- Fix handling of NULL pointers in
cJSON_ArrayForEach
, see b47d0e3 - Make it compile with GCC 7 (fix -Wimplicit-fallthrough warning), see 9d07917
Other Improvements
- internally use realloc if available (#110)
- builtin support for fuzzing with afl (#111)
- unit tests for the print functions (#112)
- Always use buffered printing (#113)
- simplify the print functions (#114)
- Add the compiler flags
-Wdouble-conversion
,-Wparentheses
and-Wcomma
(#122)
- Don't build the unity library if testing is disabled, see #121. Thanks @ffontaine
- Bugfix release that fixes an out of bounds read, see #118. This shouldn't have any security implications.
This release includes a lot of rework in the parser and includes the Cunity unit testing framework, as well as some fixes. I increased the minor version number because there were quite a lot of internal changes.
Features:
- New type for cJSON structs:
cJSON_Invalid
, see #108
- runtime checks for a lot of potential integer overflows
- fix incorrect return in cJSON_PrintBuffered cf9d57d
- fix several potential issues found by Coverity
- fix potentially undefined behavior when assigning big numbers to
valueint
(41e2837)- Numbers exceeding
INT_MAX
or lower thanINT_MIN
will be explicitly assigned tovalueint
asINT_MAX
andINT_MIN
respectively (saturation on overflow). - fix the
cJSON_SetNumberValue
macro (87f7727), this slightly changes the behavior, see commit message
- Numbers exceeding
- Started writing unit tests with the Cunity testing framework. Currently this covers the parser functions.
Also:
- Support for running the tests with Valgrind
- Support for compiling the tests with AddressSanitizer and UndefinedBehaviorSanitizer.
travis.yml
file for running unit tests on travis. (not enabled for the repository yet though #102
After having unit tests for the parser function in place, I started refactoring the parser functions (as well as others) and making them easier to read and maintain.
- Use
strtod
from the standard library for parsing numbers (0747669) - Use goto-fail in several parser functions (#100)
- Rewrite/restructure all of the parsing functions to be easier to understand and have less code paths doing the same as another. (#109)
- Simplify the buffer allocation strategy to always doubling the needed amount (9f6fa94)
- Combined
cJSON_AddItemToObject
andcJSON_AddItemToObjectCS
to one function (cf862d)
- Prevent the usage of incompatible C and header versions via preprocessor directive (123bb1)
- Let CMake automatically detect compiler flags
- Add new compiler flags (
-Wundef
,-Wswitch-default
,-Wconversion
,-fstack-protector-strong
) (#98) - Change internal sizes from
int
tosize_t
(ecd5678) - Change internal strings from
char*
tounsigned char*
(28b9ba4) - Add
const
in more places
- Fixes a potential null pointer dereference in cJSON_Utils, discovered using clang's static analyzer by @bnason-nf, see #96
- Compiler warning if const is casted away, Thanks @gatzka, see #83
- Fix compile error with strict-overflow on PowerPC, see #85
- Fix typo in the README, thanks @MicroJoe, see #88
- Add compile flag for compatibility with C++ compilers
- Add a function
cJSON_PrintPreallocated
to print to a preallocated buffer, thanks @ChisholmKyle, see #72 - More compiler warnings when using Clang or GCC, thanks @gatzka, see #75, #78
- fixed a memory leak in
cJSON_Duplicate
, thanks @alperakcan, see #81 - fix the
ENABLE_CUSTOM_COMPILER_FLAGS
cmake option
- Rename internal boolean type, see #71.
Small bugfix release.
- Fixes a bug with the use of the cJSON structs type in cJSON_Utils, see d47339e
- improve code readability
- initialize all variables
This is the first official versioned release of cJSON. It provides an API version for the shared library and improved Makefile and CMake build files.