Merge pull request from GHSA-686w-5m7m-54vc
decNumberToString calls for a buffer that can hold a string of digits+14
characters, not a buffer of size digits+14.
We need to allocate an extra byte for the NUL byte.
-10E-1000010001, for example, will be stringified as -1.0E-1000010000
and decNumberToString will currently write an extra NUL byte after the
allocated buffer in the heap.
Originally reported by @SEU-SSL on GitHub.
Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574
Fixes GHSA-686w-5m7m-54vc
diff --git a/NEWS.md b/NEWS.md
index 913be89..14a594b 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -2,7 +2,7 @@
## Security
-- CVE-2023-50246: ....
+- CVE-2023-50246: Fix heap buffer overflow in jvp\_literal\_number\_literal
- CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload
## CLI changes
diff --git a/src/jv.c b/src/jv.c
index 6ca1e1d..e23d8ec 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -635,7 +635,7 @@
}
if (plit->literal_data == NULL) {
- int len = jvp_dec_number_ptr(n)->digits + 14;
+ int len = jvp_dec_number_ptr(n)->digits + 15 /* 14 + NUL */;
plit->literal_data = jv_mem_alloc(len);
// Preserve the actual precision as we have parsed it
diff --git a/tests/shtest b/tests/shtest
index a426c79..14aafbf 100755
--- a/tests/shtest
+++ b/tests/shtest
@@ -609,4 +609,9 @@
exit 1
fi
+# CVE-2023-50246: No heap overflow for '-10E-1000000001'
+$VALGRIND $Q $JQ . <<\NUM
+-10E-1000000001
+NUM
+
exit 0
