diff options
| author | Emanuele Torre <torreemanuele6@gmail.com> | 2024-03-27 10:16:15 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-03-27 10:16:15 +0100 |
| commit | 22a03e9e06e7a812c6aed16d3e2bc7e091c119a6 (patch) | |
| tree | 2cc03394d786354a93462f15e27b9f36022e2821 | |
| parent | be437ec049bb2300731522ca93f37cd2629b4cc8 (diff) | |
@base64d: fix unhandled overflow
$ ./jq-before -n '238609295*"|||"|@base64d|"."'
src/builtin.c:718:29: runtime error: signed integer overflow: 715827885 * 3 cannot be represented in type 'int'
jq: error: cannot allocate memory
Aborted (core dumped)
$ ./jq-after -n '238609295*"|||"|@base64d|"."'
jq: error (at <unknown>): string ("||||||||||...) is not valid base64 data
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67640
| -rw-r--r-- | src/builtin.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/builtin.c b/src/builtin.c index e93ac321..ebc1863d 100644 --- a/src/builtin.c +++ b/src/builtin.c @@ -715,7 +715,7 @@ static jv f_format(jq_state *jq, jv input, jv fmt) { input = f_tostring(jq, input); const unsigned char* data = (const unsigned char*)jv_string_value(input); int len = jv_string_length_bytes(jv_copy(input)); - size_t decoded_len = (3 * len) / 4; // 3 usable bytes for every 4 bytes of input + size_t decoded_len = (3 * (size_t)len) / 4; // 3 usable bytes for every 4 bytes of input char *result = jv_mem_calloc(decoded_len, sizeof(char)); memset(result, 0, decoded_len * sizeof(char)); uint32_t ri = 0; |