From 71c2ab509a8628dbbad4bc7b3f98a64aa90d3297 Mon Sep 17 00:00:00 2001
From: Emanuele Torre <torreemanuele6@gmail.com>
Date: Wed, 13 Dec 2023 20:20:22 +0100
Subject: Merge pull request from GHSA-686w-5m7m-54vc

decNumberToString calls for a buffer that can hold a string of digits+14
characters, not a buffer of size digits+14.
We need to allocate an extra byte for the NUL byte.

-10E-1000010001, for example, will be stringified as -1.0E-1000010000
and decNumberToString will currently write an extra NUL byte after the
allocated buffer in the heap.

Originally reported by @SEU-SSL on GitHub.

Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=64574

Fixes GHSA-686w-5m7m-54vc
---
 tests/shtest | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'tests')

diff --git a/tests/shtest b/tests/shtest
index a426c79f..14aafbf9 100755
--- a/tests/shtest
+++ b/tests/shtest
@@ -609,4 +609,9 @@ if ! r=$($JQ --args -rn 1 -- '$ARGS.positional[0]' bar) || [ "$r" != 1 ]; then
     exit 1
 fi
 
+# CVE-2023-50246: No heap overflow for '-10E-1000000001'
+$VALGRIND $Q $JQ . <<\NUM
+-10E-1000000001
+NUM
+
 exit 0
-- 
cgit v1.2.3