1.2304.0, 2023-04-18 - change of release number scheme, now like rsyslog - fix Fix CVE-2020-12762 Note: the CVE did not affect rsyslog use due to size limits Thanks to Wang Haitao for the patch. 0.99.9 2021-01-26 - add API fjson_object_get_uint() Thanks to Janmejay Singh for contributing the patch. - add API fjson_object_array_del_idx() Thanks to Noriko Hosoi for contributing the patch. - bugfix for dangling pointer that causes segfault The other functions assume that the memory is either set to NULL or a valid json object. The array_list_del_idx function only moves the elements, but does not set the pointer to null, which causes the same pointer to remain in the list (outside of arr->length). Then, when array_list_put_idx is called, the array_list_expand_internal leaps out, meaning that it has not set the indices outside of the requested length to 0. array_list_put_idx finds the pointer, tries to free it and a double free will be incurred, because the actual element is still in the list. Thanks to Michael van der Werve for contributing the patch. 0.99.8 2017-12-18 - make build under gcc7 with strict settings (warning==error) - bugfix: constant key names not properly handled if fjson_object_object_add_ex() is used with option FJSON_OBJECT_KEY_IS_CONSTANT, fjson_object_object_del() will still try to delete the key name. Depending on use, this can lead to double-free, use-after-free or no problem. see also https://github.com/rsyslog/rsyslog/issues/1839 closes https://github.com/rsyslog/libfastjson/issues/148 - fix potentially invalid return value of fjson_object_iter_begin this could lead to callers doing improper opreations and thus could lead to a segfault in callers detected by Coverity scan, CID 198891 - fix small potential memory leak in json_tokener (unlinkely to occur) detected by Coverity Scan, CID 198890 0.99.7 2017-10-17 - added option for case-insensitive comparisons This permits to search for json keys in a case-sensitive way. The default is "off", as this is against the JSON spec. However, rsyslog needs this capability to increase usability inside the variable system. We add a new API call to switch between case-sensitive and case-insensitive comparison, with case-sensitive being the default. closes https://github.com/rsyslog/libfastjson/issues/142 - Removed userdata and custom-serialization functions Reasoning (from pull request): The library uses the concept of "userdata" and "custom serialization functions" that can be set from user space. However, to effectively make use of this feature, a user must have a deep understanding of the internal data representation of the library, which makes this feature not very useful. But what is worse: internally, the library itself also sometimes assigns data to this userdata member (especially when working with doubles), and it also sometimes assigns alternative serialization functions. This makes the feature even more unusable, because as a user you never can know when the userdata pointer is save to use for your own settings, and when you must leave it alone because it is used by the library. Long story short. In this pull request I got rid of the userdata pointer completely. The case where the library was using the "userdata" (for storing the original string representation of a parsed double) has been moved into the union that is already used for storing values. see also: https://github.com/rsyslog/libfastjson/pull/141 Thanks to Emiel Bruijntjes for the patch. 0.99.6 2017-06-19 - fix a build issue under Solaris 0.99.5 2017-05-03 - fix tautology comparison in tautology in `fjson_object_iter_equal` - made build under Solaris again - made to build under AIX Thanks to github user purnimam1 for the patch - fix floating point representation when fractional part is missing see also https://github.com/rsyslog/libfastjson/issues/126 Thanks to Jan Gerhards for the patch. - m4: fix detection of atomics In cross-compilation, it is impossible to run code at configure time to detect the target specifics. As such, AC_TRY_RUN fails miserably to detect reliably that atomic intrisics are present in a toolchain, and decides they are not just because this is cross-compilation. Instead of AC_TRY_RUN, use AC_LINK_IFELSE that does not need to actually run code, since all we're interested in is whether the intrisics are present (or not). Fix both the 32- and 64-bit variants, even if the latter is not used currently. Fixes build failures detected by the Buildroot autobuilders, like: http://autobuild.buildroot.org/results/23a/23ac0e742ed3a70ae4d038f8c9eadc23e708f671/build-end.log http://autobuild.buildroot.org/results/192/1923d0b570adba494f83747a9610ea6ec35f5223/build-end.log and many other cases, espcially on architectures where such intrsics are present, but where the toolchain does not have threads (and anyway, it is much more efficient to use the intrisics rather than use mutexes). Thanks to Yann E. MORIN for the patch. - add fjson_object_dump() and fjson_object_write() functions ... that make it possible to dump the json tree without having to dynamically allocate a string, and to write the tree to a FILE*. NOTE: right now, most of the code is simply copied from the functions that use the "printbuf" for writing the data. I have not touched the old printbuf-implementation, because some other code may still rely on it. However, in my opinion these printbuf-based functions (if it is desirable to keep them in the first place) can now be re-implemented to use the more flexible fjson_object_dump() function. MAINTAINER NOTE: we need to performance-test any new implementation and will do so. The results will ultimately decide which parts of the code remain in the codebase. Thanks to Emiel Bruijntjes for the patch. 0.99.4 2016-08-03 - fix tautology comparison in tautology in `fjson_object_iter_equal` Thanks to Andres Stieger for the patch - improve build system to handle slightly older autoconf versions - fix build problems with gcc6 Thanks to Andres Stieger for the patch 0.99.3 2016-07-11 - new dependency: autoconf-archive - exit() is no longer called in unexpected situations The previous code called exit on some occasions and did not give the caller a chance to do any cleanup or handling on it's own. This has completely been removed. Note that it was very unlikely that this problem affected a caller, as exit() was only called under very rare circumstances (e.g. OOM). - fjson_version now returns configure VERSION This avoid inconsistency. - removal of Windows and Android bits Thanks to Michael Biebl for the patch. - fixes of the build system Thanks to Michael Biebl for the patch. - dropped support for Windows and Android as we do not target these platforms - "make distcheck" now works - fix invalid Unicode representation for some non US-ASCII characters when printed as string. Note that this could potentially also lead to a segfault 0.99.2 2016-03-07 - new API: json_object_get_member_count() - make comaptible with autoconf < 2.64 0.99.1 was never released, but version number has accidently been used by some Adiscon packages. In order to prevent confusion, we have decided not to use this version number for any official version. 0.99.0 2015-12-22 - bugfix: reference counting was not thread-safe NEXT.VERSION ...nothing yet... 0.12 * Address security issues: * CVE-2013-6371: hash collision denial of service * CVE-2013-6370: buffer overflow if size_t is larger than int * Avoid potential overflow in json_object_get_double * Eliminate the mc_abort() function and MC_ABORT macro. * Make the json_tokener_errors array local. It has been deprecated for a while, and json_tokener_error_desc() should be used instead. * change the floating point output format to %.17g so values with more than 6 digits show up in the output. * Remove the old libjson.so name compatibility support. The library is only created as libjson-c.so now and headers are only installed into the ${prefix}/json-c directory. * When supported by the linker, add the -Bsymbolic-functions flag. * Various changes to fix the build on MSVC. * Make strict mode more strict: * number must not start with 0 * no single-quote strings * no comments * trailing char not allowed * only allow lowercase literals * Added a json_object_new_double_s() convenience function to allow an exact string representation of a double to be specified when creating the object and use it in json_tokener_parse_ex() so a re-serialized object more exactly matches the input. * Add support NaN and Infinity 0.11 * IMPORTANT: the name of the library has changed to libjson-c.so and the header files are now in include/json-c. The pkgconfig name has also changed from json to json-c. You should change your build to use appropriate -I and -l options. A compatibility shim is in place so builds using the old name will continue to work, but that will be removed in the next release. * Maximum recursion depth is now a runtime option. json_tokener_new() is provided for compatibility. json_tokener_new_ex(depth) * Include json_object_iterator.h in the installed headers. * Add support for building on Android. * Rewrite json_object_object_add to replace just the value if the key already exists so keys remain valid. * Make it safe to delete keys while iterating with the json_object_object_foreach macro. * Add a json_set_serializer() function to allow the string output of a json_object to be customized. * Make float parsing locale independent. * Add a json_tokener_set_flags() function and a JSON_TOKENER_STRICT flag. * Enable -Werror when building. * speed improvements to parsing 64-bit integers on systems with working sscanf * Add a json_object_object_length function. * Fix a bug (buffer overrun) when expanding arrays to more than 64 entries. 0.10 * Add a json_object_to_json_string_ext() function to allow output to be formatted in a more human readable form. * Add json_object_object_get_ex(), a NULL-safe get object method, to be able to distinguish between a key not present and the value being NULL. * Add an alternative iterator implementation, see json_object_iterator.h * Make json_object_iter public to enable external use of the json_object_object_foreachC macro. * Add a printbuf_memset() function to provide an effecient way to set and append things like whitespace indentation. * Adjust json_object_is_type and json_object_get_type so they return json_type_null for NULL objects and handle NULL passed to json_objct_object_get(). * Rename boolean type to json_bool. * Fix various compile issues for Visual Studio and MinGW. * Allow json_tokener_parse_ex() to be re-used to parse multiple object. Also, fix some parsing issues with capitalized hexadecimal numbers and number in E notation. * Add json_tokener_get_error() and json_tokener_error_desc() to better encapsulate the process of retrieving errors while parsing. * Various improvements to the documentation of many functions. * Add new json_object_array_sort() function. * Fix a bug in json_object_get_int(), which would incorrectly return 0 when called on a string type object. Eric Haszlakiewicz * Add a json_type_to_name() function. Eric Haszlakiewicz * Add a json_tokener_parse_verbose() function. Jehiah Czebotar * Improve support for null bytes within JSON strings. Jehiah Czebotar * Fix file descriptor leak if memory allocation fails in json_util Zachary Blair, zack_blair at hotmail dot com * Add int64 support. Two new functions json_object_net_int64 and json_object_get_int64. Binary compatibility preserved. Eric Haszlakiewicz, EHASZLA at transunion com Rui Miguel Silva Seabra, rms at 1407 dot org * Fix subtle bug in linkhash where lookup could hang after all slots were filled then successively freed. Spotted by Jean-Marc Naud, j dash m at newtraxtech dot com * Make json_object_from_file take const char *filename Spotted by Vikram Raj V, vsagar at attinteractive dot com * Add handling of surrogate pairs (json_tokener.c, test4.c, Makefile.am) Brent Miller, bdmiller at yahoo dash inc dot com * Correction to comment describing printbuf_memappend in printbuf.h Brent Miller, bdmiller at yahoo dash inc dot com 0.9 * Add README.html README-WIN32.html config.h.win32 to Makefile.am Michael Clark, * Add const qualifier to the json_tokener_parse functions Eric Haszlakiewicz, EHASZLA at transunion dot com * Rename min and max so we can never clash with C or C++ std library Ian Atha, thatha at yahoo dash inc dot com * Fix any noticeable spelling or grammar errors. * Make sure every va_start has a va_end. * Check all pointers for validity. Erik Hovland, erik at hovland dot org * Fix json_object_get_boolean to return false for empty string Spotted by Vitaly Kruglikov, Vitaly dot Kruglikov at palm dot com * optimizations to json_tokener_parse_ex(), printbuf_memappend() Brent Miller, bdmiller at yahoo dash inc dot com * Disable REFCOUNT_DEBUG by default in json_object.c * Don't use this as a variable, so we can compile with a C++ compiler * Add casts from void* to type of assignment when using malloc * Add #ifdef __cplusplus guards to all of the headers * Add typedefs for json_object, json_tokener, array_list, printbuf, lh_table Michael Clark, * Null pointer dereference fix. Fix json_object_get_boolean strlen test to not return TRUE for zero length string. Remove redundant includes. Erik Hovland, erik at hovland dot org * Fixed warning reported by adding -Wstrict-prototypes -Wold-style-definition to the compilatin flags. Dotan Barak, dotanba at gmail dot com * Add const correctness to public interfaces Gerard Krol, g dot c dot krol at student dot tudelft dot nl 0.8 * Add va_end for every va_start Dotan Barak, dotanba at gmail dot com * Add macros to enable compiling out debug code Geoffrey Young, geoff at modperlcookbook dot org * Fix bug with use of capital E in numbers with exponents Mateusz Loskot, mateusz at loskot dot net * Add stddef.h include * Patch allows for json-c compile with -Werror and not fail due to -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations Geoffrey Young, geoff at modperlcookbook dot org 0.7 * Add escaping of backslash to json output * Add escaping of foward slash on tokenizing and output * Changes to internal tokenizer from using recursion to using a depth state structure to allow incremental parsing 0.6 * Fix bug in escaping of control characters Johan Björklund, johbjo09 at kth dot se * Remove include "config.h" from headers (should only be included from .c files) Michael Clark 0.5 * Make headers C++ compatible by change *this to *obj * Add ifdef C++ extern "C" to headers * Use simpler definition of min and max in bits.h Larry Lansing, llansing at fuzzynerd dot com * Remove automake 1.6 requirement * Move autogen commands into autogen.sh. Update README * Remove error pointer special case for Windows * Change license from LGPL to MIT Michael Clark 0.4 * Fix additional error case in object parsing * Add back sign reversal in nested object parse as error pointer value is negative, while error value is positive. Michael Clark 0.3 * fix pointer arithmetic bug for error pointer check in is_error() macro * fix type passed to printbuf_memappend in json_tokener * update autotools bootstrap instructions in README Michael Clark 0.2 * printbuf.c - C. Watford (christopher.watford@gmail.com) Added a Win32/Win64 compliant implementation of vasprintf * debug.c - C. Watford (christopher.watford@gmail.com) Removed usage of vsyslog on Win32/Win64 systems, needs to be handled by a configure script * json_object.c - C. Watford (christopher.watford@gmail.com) Added scope operator to wrap usage of json_object_object_foreach, this needs to be rethought to be more ANSI C friendly * json_object.h - C. Watford (christopher.watford@gmail.com) Added Microsoft C friendly version of json_object_object_foreach * json_tokener.c - C. Watford (christopher.watford@gmail.com) Added a Win32/Win64 compliant implementation of strndup * json_util.c - C. Watford (christopher.watford@gmail.com) Added cast and mask to suffice size_t v. unsigned int conversion correctness * json_tokener.c - sign reversal issue on error info for nested object parse spotted by Johan Björklund (johbjo09 at kth.se) * json_object.c - escape " in json_escape_str * Change to automake and libtool to build shared and static library Michael Clark 0.1 * initial release