Merge pull request from GHSA-686w-5m7m-54vcjq-1.7.1

decNumberToString calls for a buffer that can hold a string of digits+14 characters, not a buffer of size digits+14. We need to allocate an extra byte for the NUL byte. -10E-1000010001, for example, will be stringified as -1.0E-1000010000 and decNumberToString will currently write an extra NUL byte after the allocated buffer in the heap. Originally reported by @SEU-SSL on GitHub. Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574 Fixes GHSA-686w-5m7m-54vc
author: Emanuele Torre <torreemanuele6@gmail.com> 2023-12-13 20:20:22 +0100
committer: GitHub <noreply@github.com> 2023-12-13 20:20:22 +0100
commit: 71c2ab509a8628dbbad4bc7b3f98a64aa90d3297 (patch)
tree: fe7a1f7b4580426266209f6047adb4e9736cd06c /src/jv.c
parent: c9a51565214eece8f1053089739aea73145bfd6b (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/jv.c b/src/jv.c
index 6ca1e1d0..e23d8ec1 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -635,7 +635,7 @@ static const char* jvp_literal_number_literal(jv n) {
   }
 
   if (plit->literal_data == NULL) {
-    int len = jvp_dec_number_ptr(n)->digits + 14;
+    int len = jvp_dec_number_ptr(n)->digits + 15 /* 14 + NUL */;
     plit->literal_data = jv_mem_alloc(len);
 
     // Preserve the actual precision as we have parsed it
author	Emanuele Torre <torreemanuele6@gmail.com>	2023-12-13 20:20:22 +0100
committer	GitHub <noreply@github.com>	2023-12-13 20:20:22 +0100
commit	71c2ab509a8628dbbad4bc7b3f98a64aa90d3297 (patch)
tree	fe7a1f7b4580426266209f6047adb4e9736cd06c /src/jv.c
parent	c9a51565214eece8f1053089739aea73145bfd6b (diff)