Skip to content

Commit

Permalink
Merge pull request from GHSA-7hmr-442f-qc8j
Browse files Browse the repository at this point in the history
The unit allocated for decNumberCompare was accidentally removed by
commit 680baef (PR #2804)

This caused a stack overflow when comparing a nan with a payload of 1000
or more.

This bug was found by OSS-fuzz.
Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64771
Fixes GHSA-7hmr-442f-qc8j

It also fixes 1e999999999 > 1e-1147483646   triggering UBSAN errors
Fixes #2968
emanuele6 authored Dec 13, 2023
1 parent c5fd64b commit c9a5156
Showing 3 changed files with 14 additions and 5 deletions.
2 changes: 1 addition & 1 deletion NEWS.md
Original file line number Diff line number Diff line change
@@ -3,7 +3,7 @@
## Security

- CVE-2023-50246: ....
- CVE-2023-50268: ....
- CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload

## CLI changes

12 changes: 8 additions & 4 deletions src/jv.c
Original file line number Diff line number Diff line change
@@ -740,15 +740,19 @@ int jvp_number_cmp(jv a, jv b) {

#ifdef USE_DECNUM
if (JVP_HAS_FLAGS(a, JVP_FLAGS_NUMBER_LITERAL) && JVP_HAS_FLAGS(b, JVP_FLAGS_NUMBER_LITERAL)) {
decNumber res;
decNumberCompare(&res,
struct {
decNumber number;
decNumberUnit units[1];
} res;

decNumberCompare(&res.number,
jvp_dec_number_ptr(a),
jvp_dec_number_ptr(b),
DEC_CONTEXT()
);
if (decNumberIsZero(&res)) {
if (decNumberIsZero(&res.number)) {
return 0;
} else if (decNumberIsNegative(&res)) {
} else if (decNumberIsNegative(&res.number)) {
return -1;
} else {
return 1;
5 changes: 5 additions & 0 deletions tests/shtest
Original file line number Diff line number Diff line change
@@ -594,6 +594,11 @@ if ! x=$($JQ -n "1 # foo$cr + 2") || [ "$x" != 1 ]; then
exit 1
fi

# CVE-2023-50268: No stack overflow comparing a nan with a large payload
$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null
Nan4000
EOF

# Allow passing the inline jq script before -- #2919
if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then
echo "passing the inline script after -- didn't work"

0 comments on commit c9a5156

Please sign in to comment.