master

分支 (28)

标签 (22)

管理

管理

master

openEuler-25.03

sync-pr23--to-openEuler-24.09

openEuler-24.03-LTS-Next

openEuler-24.03-LTS-SP1

openEuler-24.03-LTS-SP2

openEuler-24.09

openEuler-22.03-LTS-SP1

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-24.03-LTS

openEuler-20.03-LTS-SP4

openEuler-22.09

openEuler-23.03

openEuler-23.09

openEuler-21.09

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-22.03-LTS-SP2

openEuler-20.03-LTS-Next

openEuler-25.03-release

openEuler-24.03-LTS-SP1-release

openEuler-22.03-LTS-SP4-release

openEuler-24.09-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.03-LTS-20200606

jq
/
CVE-2024-53427.patch

From a09a4dfd55e6c24d04b35062ccfe4509748b1dd3 Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Wed, 5 Mar 2025 07:43:54 +0900
Subject: [PATCH] Reject NaN with payload while parsing JSON

This commit drops support for parsing NaN with payload in JSON like
`NaN123` and fixes CVE-2024-53427. Other JSON extensions like `NaN` and
`Infinity` are still supported. Fixes #3023, fixes #3196, fixes #3246.

Origin: https://github.com/jqlang/jq/commit/a09a4dfd55e6c24d04b35062ccfe4509748b1dd3
---
 src/jv.c      |  5 +++++
 tests/jq.test | 14 ++++++++++----
 tests/shtest  |  5 -----
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/src/jv.c b/src/jv.c
index 9329eae..e26f74d 100644
--- a/src/jv.c
+++ b/src/jv.c
@@ -587,6 +587,11 @@ static jv jvp_literal_number_new(const char * literal) {
     return JV_INVALID;
   }
   if (decNumberIsNaN(&n->num_decimal)) {
+    // Reject NaN with payload.
+    if (n->num_decimal.digits > 1 || *n->num_decimal.lsu != 0) {
+      jv_mem_free(n);
+      return JV_INVALID;
+    }
     jv_mem_free(n);
     return jv_number(NAN);
   }
diff --git a/tests/jq.test b/tests/jq.test
index 7036df2..d052b22 100644
--- a/tests/jq.test
+++ b/tests/jq.test
@@ -1938,11 +1938,17 @@ tojson | fromjson
 {"a":nan}
 {"a":null}

-# also "nan with payload" #2985
-fromjson | isnan
-"nan1234"
+# NaN with payload is not parsed
+.[] | try (fromjson | isnan) catch .
+["NaN","-NaN","NaN1","NaN10","NaN100","NaN1000","NaN10000","NaN100000"]
 true
-
+true
+"Invalid numeric literal at EOF at line 1, column 4 (while parsing 'NaN1')"
+"Invalid numeric literal at EOF at line 1, column 5 (while parsing 'NaN10')"
+"Invalid numeric literal at EOF at line 1, column 6 (while parsing 'NaN100')"
+"Invalid numeric literal at EOF at line 1, column 7 (while parsing 'NaN1000')"
+"Invalid numeric literal at EOF at line 1, column 8 (while parsing 'NaN10000')"
+"Invalid numeric literal at EOF at line 1, column 9 (while parsing 'NaN100000')"

 # calling input/0, or debug/0 in a test doesn't crash jq

diff --git a/tests/shtest b/tests/shtest
index 14aafbf..a471889 100755
--- a/tests/shtest
+++ b/tests/shtest
@@ -594,11 +594,6 @@ if ! x=$($JQ -n "1 # foo$cr + 2") || [ "$x" != 1 ]; then
   exit 1
 fi

-# CVE-2023-50268: No stack overflow comparing a nan with a large payload
-$VALGRIND $Q $JQ '1 != .' <<\EOF >/dev/null
-Nan4000
-EOF
-
 # Allow passing the inline jq script before -- #2919
 if ! r=$($JQ --args -rn -- '$ARGS.positional[0]' bar) || [ "$r" != bar ]; then
     echo "passing the inline script after -- didn't work"
--
2.48.1