[Vulnerability] Atomic Rollback Failure in cJSONUtils_ApplyPatchesCaseSensitive leads to "Dirty State" on error

[RageLiu]

Clear and concise description of the bug:
The function cJSONUtils_ApplyPatchesCaseSensitive lacks transactional atomicity when applying a sequence of JSON patches. It utilizes an "in-place modification" strategy without creating a snapshot or backup of the original object.
If an error occurs in the middle of a patch sequence (e.g., a remove operation on a non-existent path), the function immediately returns an error code but does not revert the patches that were successfully applied earlier in the same call. This results in the target JSON object being left in an unpredictable "dirty" or partially modified state, which can be exploited for security bypasses (like privilege escalation) or cause data inconsistency.

Steps to reproduce the bug :
1.Prepare a base JSON object:

{ "status": "locked", "count": 1 }

2.Construct a malicious patch sequence with a "success-then-fail" logic:

[
  { "op": "replace", "path": "/status", "value": "unlocked" },
  { "op": "remove", "path": "/non_existent_path_to_force_error" }
]

3.Apply the patches using cJSONUtils_ApplyPatchesCaseSensitive
4.Observe the result: The function returns a non-zero error code (e.g., 13), but the status field in the original object has already been changed to "unlocked".

Expected behavior:
If cJSONUtils_ApplyPatchesCaseSensitive fails to apply the entire patch set, it should ensure the original JSON object remains unchanged (Atomicity), or provide a mechanism to roll back to the initial state.

Observed behavior:
The function returns an error, but the memory state of the object is permanently altered by the preceding successful patch operations.
Expected State after failure: {"status": "locked", "count": 1}
Actual Dirty State: {"status": "unlocked", "count": 1}

Platform(s) (compiler version, operating system version, CPU) on which the bug was observed:
OS: Ubuntu 20.04 LTS
Compiler: GCC 9.4.0
Build System: CMake 3.16.3

cJSON release(s), commit(s), or branch(es) in which the bug was observed:
cJSON(main branch)
Affected File: cJSON_Utils.c
Affected Function: cJSONUtils_ApplyPatchesCaseSensitive and internal apply_patch.

[kacprzakm]

This appears to be expected behavior rather than a strict bug. The function applies patches in-place and does not guarantee atomicity, so partial modifications may occur on failure. It might be worth documenting this explicitly or providing an atomic variant.