JQ Stack-Based Buffer Overflow Vulnerability in DecNumberCopy Function

A stack-based buffer overflow vulnerability has been identified in JQ version 1.7.1. The issue arises in the decNumberCopy function within decNumber.c, where NaN is incorrectly treated as a numeric value. This flaw can be exploited by using the --slurp option with a specific filter that includes a crafted digit string containing NaN, leading to an out-of-bounds write. The vulnerability was discovered during fuzz testing and can cause undefined behavior, crashes, or potential security risks.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, allowing for out-of-bounds writes that could be used to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by echoing a base64-encoded string that represents a crafted digit sequence including 'NaN', decoding it, and then using it as input for JQ with the 'decNumberCopy' function. This can be automated with a fuzzing tool that targets JQ's JSON parsing capabilities.

Remediation

Users are advised to upgrade to JQ version 1.7.2 or later, where this vulnerability has been fixed.