Package: libjsoncpp Version: 0.10.2-3 Severity: normal Tags: patch User: [email protected] Usertags: origin-ubuntu wily ubuntu-patch
Dear Maintainer, In a unity scope used in Ubuntu, we noticed a locale oddity where a price of "2.99" was shown as "2,00" in a Spanish locale. It got traced to libjsoncpp and the attached patch to use stringstream for doubles. Thanks for considering the patch. (Which is the only remaining delta for Ubuntu) -- System Information: Debian Release: jessie/sid APT prefers wily-updates APT policy: (500, 'wily-updates'), (500, 'wily-security'), (500, 'wily'), (500, 'vivid') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.19.0-20-generic (SMP w/4 CPU cores) Locale: LANG=en_US, LC_CTYPE=en_US (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
diff -Nru libjsoncpp-0.10.2/debian/patches/fix-double-parsing.patch libjsoncpp-0.10.2/debian/patches/fix-double-parsing.patch --- libjsoncpp-0.10.2/debian/patches/fix-double-parsing.patch 1969-12-31 19:00:00.000000000 -0500 +++ libjsoncpp-0.10.2/debian/patches/fix-double-parsing.patch 2015-06-15 12:27:51.000000000 -0400 @@ -0,0 +1,46 @@ +Description: Use stringstream to convert real numbers from strings. +Author: Rodney Dawes <[email protected]> +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1368420 + +=== modified file 'src/lib_json/json_reader.cpp' +Index: libjsoncpp-0.10.2-3ubuntu1/src/lib_json/json_reader.cpp +=================================================================== +--- libjsoncpp-0.10.2-3ubuntu1.orig/src/lib_json/json_reader.cpp ++++ libjsoncpp-0.10.2-3ubuntu1/src/lib_json/json_reader.cpp +@@ -561,33 +561,11 @@ bool Reader::decodeDouble(Token& token) + + bool Reader::decodeDouble(Token& token, Value& decoded) { + double value = 0; +- const int bufferSize = 32; +- int count; +- int length = int(token.end_ - token.start_); + +- // Sanity check to avoid buffer overflow exploits. +- if (length < 0) { +- return addError("Unable to parse token length", token); +- } ++ std::string buffer( token.start_, token.end_ ); ++ std::istringstream is(buffer); + +- // Avoid using a string constant for the format control string given to +- // sscanf, as this can cause hard to debug crashes on OS X. See here for more +- // info: +- // +- // http://developer.apple.com/library/mac/#DOCUMENTATION/DeveloperTools/gcc-4.0.1/gcc/Incompatibilities.html +- char format[] = "%lf"; +- +- if (length <= bufferSize) { +- Char buffer[bufferSize + 1]; +- memcpy(buffer, token.start_, length); +- buffer[length] = 0; +- count = sscanf(buffer, format, &value); +- } else { +- std::string buffer(token.start_, token.end_); +- count = sscanf(buffer.c_str(), format, &value); +- } +- +- if (count != 1) ++ if (!(is >> value)) + return addError("'" + std::string(token.start_, token.end_) + + "' is not a number.", + token); diff -Nru libjsoncpp-0.10.2/debian/patches/series libjsoncpp-0.10.2/debian/patches/series --- libjsoncpp-0.10.2/debian/patches/series 2015-06-12 05:51:38.000000000 -0400 +++ libjsoncpp-0.10.2/debian/patches/series 2015-06-15 12:29:06.000000000 -0400 @@ -1,4 +1,5 @@ 0004-fix-include-path.patch 0001-multiarch-path-support.patch 0003-fix-arm.patch +fix-double-parsing.patch
