jq Out-of-Bounds Read Vulnerability in jv_parse_sized() API

A vulnerability exists in jq's libjq component, specifically in the jv_parse_sized() API, which handles counted buffers with an explicit length parameter. Prior to the patch in commit 2f09060afab23fe9390cce7cb860b10416e1bf5f, the error-handling process incorrectly treated the buffered input as a NUL-terminated string. This mismanagement allowed for out-of-bounds reads when malformed JSON was supplied in a non-NUL-terminated buffer. Such exploitation could lead to memory disclosure or process termination.

Impact

Exploitation of this vulnerability causes an out-of-bounds read, which can result in memory disclosure or termination of the process.

Reproduction

The vulnerability can be reproduced by calling the jv_parse_sized() function with a counted buffer that contains malformed JSON but is not NUL-terminated. This can be done by allocating a buffer, writing a partial JSON object into it, and then passing it to jv_parse_sized() with the length of the buffer. The error handling will then read past the end of the buffer, causing an out-of-bounds read.

Remediation

Users should update to the latest version of jq, where this vulnerability has been patched.