json-c: integer overflow and out-of-bounds write (CVE-2020-12762)

json-c through 0.14 has an integer overflow and out-of-bounds write via a large JSON file, as demonstrated by printbuf_memappend.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2020-12762
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-12762

Patches:

• https://github.com/json-c/json-c/pull/608 (0.14)
• https://github.com/json-c/json-c/pull/607 (0.13.x)

Affected branches:

• master
• 3.11-stable
• 3.10-stable
• 3.9-stable