Skip to content

Commit

Permalink
jv_setpath: fix leak when indexing an array with an array
Browse files Browse the repository at this point in the history
arrays[arrays] is a special case of "INDEX" that actually returns an
array containing the indices in which the array that is being indexed
contains the start of the key array.

So array keys, for array values, are a kind of key that can be "got",
but not "set". jv_setpath() was not freeing the value it "got" from
indexing that key, in case the following "set" on that key failed,
resulting in a leak.

    $ ./jq -n '[] | setpath([[1]]; 1)'
    jq: error (at <unknown>): Cannot update field at array index of array

    =================================================================
    ==953483==ERROR: LeakSanitizer: detected memory leaks

    Direct leak of 272 byte(s) in 1 object(s) allocated from:
        #0 0x725f4d4e1359 in __interceptor_malloc /usr/src/debug/gcc/gcc/libsanitizer/asan/asan_malloc_linux.cpp:69
        #1 0x5ec17b1a7438 in jv_mem_alloc src/jv_alloc.c:141

    SUMMARY: AddressSanitizer: 272 byte(s) leaked in 1 allocation(s).

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66061
  • Loading branch information
emanuele6 authored Mar 28, 2024
1 parent afe0afa commit 5bbd02f
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 0 deletions.
1 change: 1 addition & 0 deletions src/jv_aux.c
Original file line number Diff line number Diff line change
Expand Up @@ -417,6 +417,7 @@ jv jv_setpath(jv root, jv path, jv value) {
// to null first.
root = jv_set(root, jv_copy(pathcurr), jv_null());
if (!jv_is_valid(root)) {
jv_free(subroot);
jv_free(pathcurr);
jv_free(pathrest);
jv_free(value);
Expand Down
7 changes: 7 additions & 0 deletions tests/jq.test
Original file line number Diff line number Diff line change
Expand Up @@ -2169,3 +2169,10 @@ try ltrimstr("x") catch "x", try rtrimstr("x") catch "x" | "ok"
["ko","endswith() requires string inputs"]
["ok",""]
["ko","endswith() requires string inputs"]


# oss-fuzz #66061: setpath/2 leaks when indexing array with array

try ["OK", setpath([[1]]; 1)] catch ["KO", .]
[]
["KO","Cannot update field at array index of array"]

0 comments on commit 5bbd02f

Please sign in to comment.