Fix heap buffer overflow when formatting an empty string

itchyny · itchyny · commit c6e041699d8c · 2025-05-31T11:46:40.000+09:00
The `jv_string_empty` did not properly null-terminate the string data, which could lead to a heap buffer overflow. The test case of GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9, but another case (`0[[]|implode]`) was still vulnerable. This commit ensures string data is properly null-terminated, and fixes CVE-2025-48060.
diff --git a/src/jv.c b/src/jv.c
@@ -1148,6 +1148,7 @@ static jv jvp_string_empty_new(uint32_t length) {
   jvp_string* s = jvp_string_alloc(length);
   s->length_hashed = 0;
   memset(s->data, 0, length);
+  s->data[length] = 0;
   jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};
   return r;
 }
diff --git a/tests/jq.test b/tests/jq.test
@@ -2362,6 +2362,10 @@ map(try implode catch .)
 [123,["a"],[nan]]
 ["implode input must be an array","string (\"a\") can't be imploded, unicode codepoint needs to be numeric","number (null) can't be imploded, unicode codepoint needs to be numeric"]
 
+try 0[implode] catch .
+[]
+"Cannot index number with string \"\""
+
 # walk
 walk(.)
 {"x":0}

Original file line number	Diff line number	Diff line change
`@@ -1148,6 +1148,7 @@ static jv jvp_string_empty_new(uint32_t length) {`
`1148`	`1148`	`jvp_string* s = jvp_string_alloc(length);`
`1149`	`1149`	`s->length_hashed = 0;`
`1150`	`1150`	`memset(s->data, 0, length);`
	`1151`	`+ s->data[length] = 0;`
`1151`	`1152`	`jv r = {JVP_FLAGS_STRING, 0, 0, 0, {&s->refcnt}};`
`1152`	`1153`	`return r;`
`1153`	`1154`	`}`