Skip to content

Stack overflow in node_min_byte_len of Oniguruma dependency

Low
itchyny published GHSA-f946-j5j2-4w5m Jun 24, 2025

Package

No package listed

Affected versions

1.8.0

Patched versions

None

Description

Summary

A stack overflow vulnerability exists in the node_min_byte_len function of /vendor/oniguruma/src/regcomp.c in the Oniguruma dependency.

PoC

PoC command: ./jq -nf ./stack-overflow.jq
Test File: stack-overflow.zip
Version: jq-1.8.0-9-g499c91b-dirty
Build flags: --disable-shared --with-oniguruma=builtin CC=afl-clang-fast 'CFLAGS=-O1 -fno-omit-frame-pointer -gline-tables-only -Wno-error=enum-constexpr-conversion -Wno-error=incompatible-function-pointer-types -Wno-error=int-conversion -Wno-error=deprecated-declarations -Wno-error=implicit-function-declaration -Wno-error=implicit-int -Wno-error=vla-cxx-extension -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=address -fsanitize-address-use-after-scope -fsanitize=fuzzer-no-link'

ASAN Output

./jq -nf ./stack-overflow.jq 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1910490==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd0d12dfe8 (pc 0x5753e57f9691 bp 0x7ffd0d12e050 sp 0x7ffd0d12dff0 T0)
    #0 0x5753e57f9691 in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c:3606
    #1 0x5753e57f9d2a in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #2 0x5753e57fa065 in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c
    #3 0x5753e57f9d2a in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #4 0x5753e57fa065 in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c
    #5 0x5753e57f9d2a in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #6 0x5753e57fa065 in node_min_byte_len /home/sofi/fuzzing/jq/fuzzing-builds/afl-llvm-asan/jq/vendor/oniguruma/src/regcomp.c
...
...
...

GDB

gdb --args ./jq -nf ./stack-overflow.jq 

Program received signal SIGSEGV, Segmentation fault.

0x00005555558ae65c in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3606
3606	{
(gdb) bt
#0  0x00005555558ae65c in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3606
#1  0x00005555558af076 in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3707
#2  0x00005555558aed3b in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3678
#3  0x00005555558af076 in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3707
#4  0x00005555558aed3b in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3678
#5  0x00005555558af076 in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3707
#6  0x00005555558aed3b in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3678
#7  0x00005555558af076 in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3707
#8  0x00005555558aed3b in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3678
#9  0x00005555558af076 in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3707
#10 0x00005555558aed3b in node_min_byte_len (node=<optimized out>, env=<optimized out>) at regcomp.c:3678
...
...
...
#858 0x00005555558a54c0 in tune_quant (node=0x60700001adc0, reg=0x615000000300, state=141, env=0x7fffffffd0e0) at regcomp.c:5682
#859 tune_tree (node=0x60700001adc0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5859
#860 0x00005555558a5b94 in tune_tree (node=0x60700001ae30, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5829
#861 0x00005555558a5aba in tune_quant (node=0x60700001aea0, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:5697
#862 tune_tree (node=0x60700001aea0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5859
#863 0x00005555558a5b94 in tune_tree (node=0x60700001af10, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5829
#864 0x00005555558a5aba in tune_quant (node=0x60700001af80, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:5697
#865 tune_tree (node=0x60700001af80, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5859
#866 0x00005555558a5b94 in tune_tree (node=0x60700001aff0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5829
#867 0x00005555558a5aba in tune_quant (node=0x60700001b060, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:5697
#868 tune_tree (node=0x60700001b060, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5859
#869 0x00005555558a5b94 in tune_tree (node=0x60700001b0d0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5829
#870 0x00005555558a5aba in tune_quant (node=0x60700001b140, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:5697
#871 tune_tree (node=0x60700001b140, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5859
#872 0x00005555558a5b94 in tune_tree (node=0x60700001b1b0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5829
#873 0x00005555558a5aba in tune_quant (node=0x60700001b220, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:5697
...
...
...
#8942 0x00005555558a2093 in tune_tree (node=0x607000187e60, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5765
#8943 0x00005555558a63e4 in tune_look_behind (node=0x6070000003a0, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:4625
#8944 tune_anchor (node=0x6070000003a0, reg=0x7fffffffd0e0, state=0, env=0x5555558aef70 <node_min_byte_len+2336>) at regcomp.c:5653
#8945 tune_tree (node=0x6070000003a0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5863
#8946 0x00005555558a14f9 in tune_tree (node=0x607000187ed0, reg=<optimized out>, state=<optimized out>, env=<optimized out>) at regcomp.c:5754
#8947 0x000055555588e2a3 in parse_and_tune (reg=<optimized out>, pattern=<optimized out>, pattern_end=<optimized out>, scan_env=<optimized out>, rroot=<optimized out>, einfo=<optimized out>, 
    uslist=<optimized out>) at regcomp.c:7450
#8948 0x000055555588a546 in onig_compile (reg=0x607000001670, pattern=<optimized out>, pattern_end=<optimized out>, einfo=<optimized out>) at regcomp.c:7526
#8949 0x000055555589815c in onig_new (reg=0x7fffffffd520, pattern=<optimized out>, pattern_end=<optimized out>, option=<optimized out>, enc=<optimized out>, syntax=<optimized out>, 
    einfo=<optimized out>) at regcomp.c:7756
#8950 0x00005555557e360f in f_match (jq=<optimized out>, input=..., regex=..., modifiers=..., testmode=...) at src/builtin.c:979
#8951 0x00005555556fd4b5 in jq_next (jq=0x607000001670) at src/execute.c:920
#8952 0x00005555556ed9b7 in process (jq=0x611000000180, value=..., flags=0, dumpopts=<optimized out>, options=<optimized out>) at src/main.c:175
#8953 0x00005555556ec40d in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:656

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs

Credits