diff options
-rw-r--r-- | NEWS.md | 2 | ||||
-rw-r--r-- | src/jv.c | 12 | ||||
-rwxr-xr-x | tests/shtest | 5 |
3 files changed, 14 insertions, 5 deletions
@@ -3,7 +3,7 @@ ## Security - CVE-2023-50246: .... -- CVE-2023-50268: .... +- CVE-2023-50268: fix stack-buffer-overflow if comparing nan with payload ## CLI changes @@ -740,15 +740,19 @@ int jvp_number_cmp(jv a, jv b) { #ifdef USE_DECNUM if (JVP_HAS_FLAGS(a, JVP_FLAGS_NUMBER_LITERAL) && JVP_HAS_FLAGS(b, JVP_FLAGS_NUMBER_LITERAL)) { - decNumber res; - decNumberCompare(&res, + struct { + decNumber number; + decNumberUnit units[1]; + } res; + + decNumberCompare(&res.number, jvp_dec_number_ptr(a), jvp_dec_number_ptr(b), DEC_CONTEXT() ); - if (decNumberIsZero(&res)) { + if (decNumberIsZero(&res.number)) { return 0; - } else if (decNumberIsNegative(&res)) { + } else if (decNumberIsNegative(&res.number)) { return -1; } else { return 1; diff --git a/tests/shtest b/tests/shtest index 469ea1d2..a426c79f 100755 --- a/tests/shtest +++ b/tests/shtest @@ -594,6 +594,11 @@ if ! x=$($JQ -n "1 # foo$cr + 2") || [ "$x" != 1 ]; then exit 1 fi +# CVE-2023-50268: No stack overflow comparing a nan with a large payload +$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null +Nan4000 +EOF + # Allow passing the inline jq script before -- #2919 if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then echo "passing the inline script after -- didn't work" |