JQ Assertion Failure Vulnerability in JSON Parser Component

An assertion failure vulnerability has been identified in JQ, specifically in versions up to 1.6. The issue arises in the JSON parser component, within the 'run_jq_tests' function of the 'jq_test.c' file. This vulnerability occurs when the parser processes malformed JSON input with invalid Unicode escape sequences, leading to discrepancies between expected and actual JSON values during test execution. As a result, the JQ test suite experiences a crash, indicating potential parsing inconsistencies that could affect the application's reliability.

Impact

Exploitation of this vulnerability causes the JQ application to crash, terminating the process due to the assertion failure. This behavior disrupts the normal operation of the application and indicates a deeper issue with JSON parsing that could lead to incorrect data handling or processing.

Reproduction

The vulnerability can be reproduced by compiling JQ with debugging symbols enabled and then executing it with the '--run-tests' option, using the 'POC_jq_assertion_failure_test_suite_parsing' file as input. This file, which contains malformed JSON data that triggers the vulnerability, can be downloaded from the provided Google Drive link.