Skip to content

Commit

Permalink
builtin.c: fix signed integer overflow in jv2tm
Browse files Browse the repository at this point in the history 
jv2tm now properly clamps large number values to a signed 32-bit integer
and rejects nan.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65885
  • Loading branch information
@emanuele6
emanuele6 committed Mar 15, 2024
1 parent 1411ce6 commit 60e95a6
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
11 changes: 9 additions & 2 deletions src/builtin.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1464,13 +1464,20 @@ static jv f_strptime(jq_state *jq, jv a, jv b) {
#define TO_TM_FIELD(t, j, i) \
do { \
jv n = jv_array_get(jv_copy(j), (i)); \
if (jv_get_kind(n) != (JV_KIND_NUMBER)) { \
if (jv_get_kind(n) != JV_KIND_NUMBER || \
jvp_number_is_nan(n)) { \
jv_free(n); \
jv_free(j); \
return 0; \
} \
t = jv_number_value(n); \
double dint = jv_number_value(n); \
jv_free(n); \
if (dint < INT_MIN) \
(t) = INT_MIN; \
else if (dint > INT_MAX) \
(t) = INT_MAX; \
else \
(t) = (int)dint; \
} while (0)

static int jv2tm(jv a, struct tm *tm) {
Expand Down
6 changes: 6 additions & 0 deletions tests/jq.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1585,6 +1585,12 @@ try mktime catch .
["a",1,2,3,4,5,6,7]
"mktime requires parsed datetime inputs"

# oss-fuzz #65885: non-int32 values are accepted and cause UB overflows
.[] | try ["OK", strftime("%Y-%m-%dT%H:%M:%SZ")] catch ["KO", .]
[[1e31],[NaN]]
["KO","strftime/1 requires parsed datetime inputs"]
["KO","strftime/1 requires parsed datetime inputs"]

# oss-fuzz #67403: non-string argument with number input fails assert
try ["OK", strftime([])] catch ["KO", .]
0
Expand Down

0 comments on commit 60e95a6

Please sign in to comment.