mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-16 16:27:27 +00:00
jq: Fix CVE-2026-41257
The upstream fix [3] is for a newer jq codebase. Debian has already backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes this CVE as tracked in Debian bug #1136445 [2]. [1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445 [3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f Signed-off-by: Shubham Pushpkar <spushpka@cisco.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
d2c778bb20
commit
69716b15d8
@@ -0,0 +1,57 @@
|
||||
From a525b86330b4b8889e0329249b8d2e04f9640a2a Mon Sep 17 00:00:00 2001
|
||||
From: itchyny <itchyny@cybozu.co.jp>
|
||||
Date: Fri, 24 Apr 2026 22:09:44 +0900
|
||||
Subject: [PATCH] Fix signed-int overflow in `stack_reallocate`
|
||||
|
||||
This fixes CVE-2026-41257.
|
||||
|
||||
CVE: CVE-2026-41257
|
||||
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f]
|
||||
|
||||
(cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f)
|
||||
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
|
||||
---
|
||||
src/exec_stack.h | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/exec_stack.h b/src/exec_stack.h
|
||||
index 2a063e8..159c56e 100644
|
||||
--- a/src/exec_stack.h
|
||||
+++ b/src/exec_stack.h
|
||||
@@ -2,8 +2,10 @@
|
||||
#define EXEC_STACK_H
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
+#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
+#include <limits.h>
|
||||
#include "jv_alloc.h"
|
||||
|
||||
/*
|
||||
@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) {
|
||||
}
|
||||
|
||||
static void stack_reallocate(struct stack* s, size_t sz) {
|
||||
- int old_mem_length = -(s->bound) + ALIGNMENT;
|
||||
- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL;
|
||||
+ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT;
|
||||
+ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL;
|
||||
|
||||
- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
|
||||
+ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
|
||||
+ if (new_mem_length > INT_MAX) {
|
||||
+ fprintf(stderr, "jq: error: cannot allocate memory\n");
|
||||
+ abort();
|
||||
+ }
|
||||
char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length);
|
||||
memmove(new_mem_start + (new_mem_length - old_mem_length),
|
||||
new_mem_start, old_mem_length);
|
||||
s->mem_end = new_mem_start + new_mem_length;
|
||||
- s->bound = -(new_mem_length - ALIGNMENT);
|
||||
+ s->bound = -(int)(new_mem_length - ALIGNMENT);
|
||||
}
|
||||
|
||||
static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) {
|
||||
--
|
||||
2.44.4
|
||||
@@ -22,6 +22,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
|
||||
file://CVE-2026-39979.patch \
|
||||
file://CVE-2026-40612.patch \
|
||||
file://CVE-2026-41256.patch \
|
||||
file://CVE-2026-41257.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user