jq: heap-buffer-overflow in tokenadd() function (CVE-2015-8863)
Off-by-one error in the tokenadd function in jv_parse.c in jq allows
remote attackers to cause a denial of service (crash) via a long
JSON-encoded number,
which triggers a heap-based buffer overflow.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8863
http://www.openwall.com/lists/oss-security/2016/04/23/1
Patch:
https://github.com/stedolan/jq/commit/8eb1367ca44e772963e704a700ef72ae2e12babd
(from redmine: issue id 5631, created on 2016-05-26, closed on 2016-06-23)
- Relations:
- child #5632 (closed)
- child #5633 (closed)