Source: jq Version: 1.6-2.1 Severity: normal Dear Maintainer,
The patch was taken from commit de21386.. modified to apply to jq-1.6. The build includes a test for the bug which hangs the build if the fix is not included. The modified jq and libjq1 install. -- System Information: Debian Release: 12.10 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 6.8.0-52-generic (SMP w/32 CPU threads; PREEMPT) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect
>From de21386681c0df0104a99d9d09db23a9b2a78b1e Mon Sep 17 00:00:00 2001 From: itchyny <itch...@cybozu.co.jp> Date: Wed, 21 May 2025 07:45:00 +0900 Subject: [PATCH] Fix signed integer overflow in jvp_array_write and jvp_object_rehash This commit fixes signed integer overflow and SEGV issues on growing arrays and objects. The size of arrays and objects is now limited to `536870912` (`0x20000000`). This fixes CVE-2024-23337 and fixes #3262. --- Original patch from https://github.com/jqlang/jq.git commit de21386681c0df0104a99d9d09db23a9b2a78b1e Modified for version 1.6 Signed-off-by: Joe Slater <joe.sla...@windriver.com> --- src/jv.c | 45 ++++++++++++++++++++++++++++++++++++--------- src/jv_aux.c | 9 +++++---- tests/jq.test | 4 ++++ 3 files changed, 45 insertions(+), 13 deletions(-) Index: b/src/jv.c =================================================================== --- a/src/jv.c 2025-05-29 23:00:08.463889536 +0000 +++ b/src/jv.c 2025-05-30 16:30:10.026820494 +0000 @@ -352,6 +352,11 @@ jv_free(val); return jv_invalid_with_msg(jv_string("Out of bounds negative array index")); } + if (idx > (INT_MAX >> 2) - jvp_array_offset(j)) { + jv_free(j); + jv_free(val); + return jv_invalid_with_msg(jv_string("Array index too large")); + } // copy/free of val,j coalesced jv* slot = jvp_array_write(&j, idx); jv_free(*slot); @@ -371,6 +376,7 @@ // FIXME: could be faster jv_array_foreach(b, i, elem) { a = jv_array_append(a, elem); + if (!jv_is_valid(a)) break; } jv_free(b); return a; @@ -661,6 +667,7 @@ p = jstr; while ((p = _jq_memmem(p, (jstr + jlen) - p, idxstr, idxlen)) != NULL) { a = jv_array_append(a, jv_number(p - jstr)); + if (!jv_is_valid(a)) break; p += idxlen; } jv_free(j); @@ -682,14 +689,17 @@ if (seplen == 0) { int c; - while ((jstr = jvp_utf8_next(jstr, jend, &c))) + while ((jstr = jvp_utf8_next(jstr, jend, &c))) { a = jv_array_append(a, jv_string_append_codepoint(jv_string(""), c)); + if (!jv_is_valid(a)) break; + } } else { for (p = jstr; p < jend; p = s + seplen) { s = _jq_memmem(p, jend - p, sepstr, seplen); if (s == NULL) s = jend; a = jv_array_append(a, jv_string_sized(p, s - p)); + if (!jv_is_valid(a)) break; // Add an empty string to denote that j ends on a sep if (s + seplen == jend && seplen != 0) a = jv_array_append(a, jv_string("")); @@ -707,8 +717,10 @@ const char* end = i + len; jv a = jv_array_sized(len); int c; - while ((i = jvp_utf8_next(i, end, &c))) + while ((i = jvp_utf8_next(i, end, &c))) { a = jv_array_append(a, jv_number(c)); + if (!jv_is_valid(a)) break; + } jv_free(j); return a; } @@ -978,10 +990,13 @@ } } -static jv jvp_object_rehash(jv object) { +static int jvp_object_rehash(jv *objectp) { + jv object = *objectp; assert(jv_get_kind(object) == JV_KIND_OBJECT); assert(jvp_refcnt_unshared(object.u.ptr)); int size = jvp_object_size(object); + if (size > INT_MAX >> 2) + return 0; jv new_object = jvp_object_new(size * 2); for (int i=0; i<size; i++) { struct object_slot* slot = jvp_object_get_slot(object, i); @@ -994,7 +1009,8 @@ } // references are transported, just drop the old table jv_mem_free(jvp_object_ptr(object)); - return new_object; + *objectp = new_object; + return 1; } static jv jvp_object_unshare(jv object) { @@ -1023,27 +1039,32 @@ return new_object; } -static jv* jvp_object_write(jv* object, jv key) { +static int jvp_object_write(jv* object, jv key, jv **valpp) { *object = jvp_object_unshare(*object); int* bucket = jvp_object_find_bucket(*object, key); struct object_slot* slot = jvp_object_find_slot(*object, key, bucket); if (slot) { // already has the key jvp_string_free(key); - return &slot->value; + *valpp = &slot->value; + return 1; } slot = jvp_object_add_slot(*object, key, bucket); if (slot) { slot->value = jv_invalid(); } else { - *object = jvp_object_rehash(*object); + if (!jvp_object_rehash(object)) { + *valpp = NULL; + return 0; + } bucket = jvp_object_find_bucket(*object, key); assert(!jvp_object_find_slot(*object, key, bucket)); slot = jvp_object_add_slot(*object, key, bucket); assert(slot); slot->value = jv_invalid(); } - return &slot->value; + *valpp = &slot->value; + return 1; } static int jvp_object_delete(jv* object, jv key) { @@ -1128,7 +1149,11 @@ assert(jv_get_kind(object) == JV_KIND_OBJECT); assert(jv_get_kind(key) == JV_KIND_STRING); // copy/free of object, key, value coalesced - jv* slot = jvp_object_write(&object, key); + jv* slot; + if (!jvp_object_write(&object, key, &slot)) { + jv_free(object); + return jv_invalid_with_msg(jv_string("Object too big")); + } jv_free(*slot); *slot = value; return object; @@ -1153,6 +1178,7 @@ assert(jv_get_kind(a) == JV_KIND_OBJECT); jv_object_foreach(b, k, v) { a = jv_object_set(a, k, v); + if (!jv_is_valid(a)) break; } jv_free(b); return a; @@ -1172,6 +1198,7 @@ jv_free(elem); a = jv_object_set(a, k, v); } + if (!jv_is_valid(a)) break; } jv_free(b); return a; Index: b/src/jv_aux.c =================================================================== --- a/src/jv_aux.c 2025-05-29 23:00:08.463889536 +0000 +++ b/src/jv_aux.c 2025-05-29 23:00:08.457889536 +0000 @@ -148,18 +148,19 @@ if (slice_len < insert_len) { // array is growing int shift = insert_len - slice_len; - for (int i = array_len - 1; i >= end; i--) { + for (int i = array_len - 1; i >= end && jv_is_valid(t); i--) { t = jv_array_set(t, i + shift, jv_array_get(jv_copy(t), i)); } } else if (slice_len > insert_len) { // array is shrinking int shift = slice_len - insert_len; - for (int i = end; i < array_len; i++) { + for (int i = end; i < array_len && jv_is_valid(t); i++) { t = jv_array_set(t, i - shift, jv_array_get(jv_copy(t), i)); } - t = jv_array_slice(t, 0, array_len - shift); + if (jv_is_valid(t)) + t = jv_array_slice(t, 0, array_len - shift); } - for (int i=0; i < insert_len; i++) { + for (int i = 0; i < insert_len && jv_is_valid(t); i++) { t = jv_array_set(t, start + i, jv_array_get(jv_copy(v), i)); } jv_free(v); Index: b/tests/jq.test =================================================================== --- a/tests/jq.test 2025-05-29 23:00:08.463889536 +0000 +++ b/tests/jq.test 2025-05-29 23:00:08.458889536 +0000 @@ -186,6 +186,10 @@ [0,1,2] [0,5,2] +try (.[999999999] = 0) catch . +null +"Array index too large" + # # Multiple outputs, iteration #
