mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

jq: patch CVE-2026-32316

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-32316

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
This commit is contained in:
Gyorgy Sarvari
2026-04-20 08:27:34 +02:00
committed by Khem Raj
parent 6fb954e736
commit e94ab85126
2 changed files with 58 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-devtools/jq/jq/CVE-2026-32316.patch
+53
View File
@@ -0,0 +1,53 @@
From 321e62b356df2d4ed47aba4f3818e447ec4d77fc Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Thu, 12 Mar 2026 20:28:43 +0900
Subject: [PATCH] Fix heap buffer overflow in `jvp_string_append` and
`jvp_string_copy_replace_bad`
In `jvp_string_append`, the allocation size `(currlen + len) * 2` could
overflow `uint32_t` when `currlen + len` exceeds `INT_MAX`, causing a small
allocation followed by a large `memcpy`.
In `jvp_string_copy_replace_bad`, the output buffer size calculation
`length * 3 + 1` could overflow `uint32_t`, again resulting in a small
allocation followed by a large write.
Add overflow checks to both functions to return an error for strings
that would exceed `INT_MAX` in length. Fixes CVE-2026-32316.
CVE: CVE-2026-32316
Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e47e56d226519635768e6aab2f38f0ab037c09e5]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/jv.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/jv.c b/src/jv.c
index e4529a4..74be05a 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -1114,7 +1114,12 @@ static jv jvp_string_copy_replace_bad(const char* data, uint32_t length) {
const char* end = data + length;
const char* i = data;
- uint32_t maxlength = length * 3 + 1; // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+ // worst case: all bad bytes, each becomes a 3-byte U+FFFD
+ uint64_t maxlength = (uint64_t)length * 3 + 1;
+ if (maxlength >= INT_MAX) {
+ return jv_invalid_with_msg(jv_string("String too long"));
+ }
+
jvp_string* s = jvp_string_alloc(maxlength);
char* out = s->data;
int c = 0;
@@ -1174,6 +1179,10 @@ static uint32_t jvp_string_remaining_space(jvp_string* s) {
static jv jvp_string_append(jv string, const char* data, uint32_t len) {
jvp_string* s = jvp_string_ptr(string);
uint32_t currlen = jvp_string_length(s);
+ if ((uint64_t)currlen + len >= INT_MAX) {
+ jv_free(string);
+ return jv_invalid_with_msg(jv_string("String too long"));
+ }
if (jvp_refcnt_unshared(string.u.ptr) &&
jvp_string_remaining_space(s) >= len) {
meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+5 -5
View File
@@ -10,11 +10,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=cf7fcb0a1def4a7ad62c028f7d0dca47"
SRCREV = "4467af7068b1bcd7f882defff6e7ea674c5357f4" SRCREV = "4467af7068b1bcd7f882defff6e7ea674c5357f4"
SRC_URI = " \ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \
git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${PV} \ file://run-ptest \
file://run-ptest \ file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \
file://0001-Support-building-with-disable-maintainer-mode-and-so.patch \ file://CVE-2026-32316.patch \
" "
inherit autotools ptest inherit autotools ptest