jq Heap-Based Buffer Overflow Vulnerability via Signed Integer Overflow in decNumber Macro

A heap-based buffer overflow vulnerability has been identified in jq, a command-line JSON processor, in versions through 1.8.1. The issue arises in the decNumber library when the decNumberFromString function is fed a number literal of INT_MAX-1 digits. This input causes a signed integer overflow in the D2U macro, which is then exploited to bypass heap-allocation size checks. As a result, the function incorrectly uses a 30-byte stack buffer, writing approximately 715 million 16-bit units (around 1.4 GiB) at an offset of 1.43 GiB below the stack frame. The overflowed data is fully controlled by the attacker, allowing for potential exploitation.

Impact

Exploitation of this vulnerability leads to a wild stack write, where the attacker-controlled data is written to a location on the stack that is significantly below the expected stack frame, potentially allowing for manipulation of the program's execution flow.

Reproduction

The vulnerability can be reproduced by using jq to parse a string that represents a number literal with 2147483646 digits, effectively triggering the signed integer overflow in the decNumber D2U macro. This can be done by creating a JSON string with the '1' character repeated 2147483646 times and using jq's 'tonumber' function to process it.