diff options
| author | Emanuele Torre <torreemanuele6@gmail.com> | 2023-12-13 20:20:22 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-12-13 20:20:22 +0100 |
| commit | 71c2ab509a8628dbbad4bc7b3f98a64aa90d3297 (patch) | |
| tree | fe7a1f7b4580426266209f6047adb4e9736cd06c /tests | |
| parent | c9a51565214eece8f1053089739aea73145bfd6b (diff) | |
Merge pull request from GHSA-686w-5m7m-54vcjq-1.7.1
decNumberToString calls for a buffer that can hold a string of digits+14
characters, not a buffer of size digits+14.
We need to allocate an extra byte for the NUL byte.
-10E-1000010001, for example, will be stringified as -1.0E-1000010000
and decNumberToString will currently write an extra NUL byte after the
allocated buffer in the heap.
Originally reported by @SEU-SSL on GitHub.
Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574
Fixes GHSA-686w-5m7m-54vc
Diffstat (limited to 'tests')
| -rwxr-xr-x | tests/shtest | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/tests/shtest b/tests/shtest index a426c79f..14aafbf9 100755 --- a/tests/shtest +++ b/tests/shtest @@ -609,4 +609,9 @@ if ! r=$($JQ --args -rn 1 -- '$ARGS.positional[0]' bar) || [ "$r" != 1 ]; then exit 1 fi +# CVE-2023-50246: No heap overflow for '-10E-1000000001' +$VALGRIND $Q $JQ . <<\NUM +-10E-1000000001 +NUM + exit 0 |