jq: Fix CVE-2026-41257

The upstream fix [3] is for a newer jq codebase. Debian has already
backported this fix in jq 1.8.1-6. Use the Debian patch [1], which fixes
this CVE as tracked in Debian bug #1136445 [2].

[1] https://sources.debian.org/src/jq/1.8.1-7/debian/patches/CVE-2026-41257.patch
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136445
[3] https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f

Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Shubham Pushpkar
2026-06-10 00:52:51 -07:00
committed by Anuj Mittal
parent d2c778bb20
commit 69716b15d8
2 changed files with 58 additions and 0 deletions
@@ -0,0 +1,57 @@
From a525b86330b4b8889e0329249b8d2e04f9640a2a Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Fri, 24 Apr 2026 22:09:44 +0900
Subject: [PATCH] Fix signed-int overflow in `stack_reallocate`
This fixes CVE-2026-41257.
CVE: CVE-2026-41257
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f]
(cherry picked from commit 01b3cded76daacbfddb7f8763700b0803bcb5c6f)
Signed-off-by: Shubham Pushpkar <spushpka@cisco.com>
---
src/exec_stack.h | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/exec_stack.h b/src/exec_stack.h
index 2a063e8..159c56e 100644
--- a/src/exec_stack.h
+++ b/src/exec_stack.h
@@ -2,8 +2,10 @@
#define EXEC_STACK_H
#include <stddef.h>
#include <stdint.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "jv_alloc.h"
/*
@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) {
}
static void stack_reallocate(struct stack* s, size_t sz) {
- int old_mem_length = -(s->bound) + ALIGNMENT;
- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL;
+ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT;
+ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL;
- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
+ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
+ if (new_mem_length > INT_MAX) {
+ fprintf(stderr, "jq: error: cannot allocate memory\n");
+ abort();
+ }
char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length);
memmove(new_mem_start + (new_mem_length - old_mem_length),
new_mem_start, old_mem_length);
s->mem_end = new_mem_start + new_mem_length;
- s->bound = -(new_mem_length - ALIGNMENT);
+ s->bound = -(int)(new_mem_length - ALIGNMENT);
}
static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) {
--
2.44.4
+1
View File
@@ -22,6 +22,7 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${BPN}-${PV}/${BPN}-${PV}.tar.gz \
file://CVE-2026-39979.patch \ file://CVE-2026-39979.patch \
file://CVE-2026-40612.patch \ file://CVE-2026-40612.patch \
file://CVE-2026-41256.patch \ file://CVE-2026-41256.patch \
file://CVE-2026-41257.patch \
" "
SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2" SRC_URI[sha256sum] = "478c9ca129fd2e3443fe27314b455e211e0d8c60bc8ff7df703873deeee580c2"