Fix for GHSA-f946-j5j2-4w5m

[sudhackar]

Hey team

While triaging bugs for downstream ubuntu - GHSA-f946-j5j2-4w5m seems to be fixed with 5e159b3

But even on the latest HEAD I can see that

$ git rev-parse HEAD
3c5ceac8e7df14e2bd236aa4031c83e46b82e010
$ autoreconf -i
$ make clean
$ echo "basic asan build"
$ ./configure --disable-shared --with-oniguruma=builtin CC=clang-17 'CFLAGS=-O1 -fsanitize=address -fno-omit-frame-pointer -g -ggdb3'
$ make -j 8
$ clang++-17 -fsanitize=fuzzer,address -O1 -g -ggdb3 -fno-omit-frame-pointer -L/usr/local/lib -I./src tests/jq_fuzz_execute.cpp ./.libs/libjq.a ./vendor/oniguruma/src/.libs/libonig.a -o jq_fuzz_execute
$ ./jq_fuzz_execute /tmp/in
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 634661034
INFO: Loaded 1 modules   (73 inline 8-bit counters): 73 [0x62641c9953c0, 0x62641c995409),
INFO: Loaded 1 PC tables (73 PCs): 73 [0x62641c995410,0x62641c9958a0),
./jq_fuzz_execute: Running 1 inputs 1 time(s) each.
Running: /tmp/in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==152935==ERROR: AddressSanitizer: stack-overflow on address 0x7ffd78962ff8 (pc 0x62641c87e5a8 bp 0x7ffd78963010 sp 0x7ffd78963000 T0)
    #0 0x62641c87e5a8 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3606
    #1 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #2 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #3 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #4 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #5 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #6 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #7 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #8 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #9 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #10 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #11 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #12 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #13 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #14 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #15 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #16 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #17 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #18 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #19 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #20 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #21 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #22 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #23 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #24 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #25 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #26 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #27 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #28 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #29 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #30 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #31 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #32 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #33 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #34 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #35 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #36 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #37 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #38 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #39 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #40 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #41 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #42 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #43 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #44 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #45 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #46 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #47 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #48 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #49 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #50 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #51 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #52 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #53 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #54 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #55 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #56 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #57 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #58 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #59 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #60 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #61 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #62 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #63 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #64 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #65 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #66 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #67 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #68 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #69 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #70 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #71 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #72 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #73 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #74 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #75 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #76 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #77 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #78 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #79 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #80 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #81 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #82 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #83 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #84 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #85 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #86 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #87 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #88 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #89 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #90 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #91 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #92 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #93 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #94 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #95 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #96 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #97 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #98 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #99 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #100 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #101 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #102 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #103 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #104 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #105 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #106 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #107 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #108 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #109 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #110 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #111 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #112 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #113 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #114 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #115 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #116 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #117 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #118 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #119 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #120 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #121 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #122 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #123 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #124 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #125 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #126 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #127 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #128 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #129 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #130 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #131 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #132 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #133 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #134 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #135 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #136 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #137 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #138 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #139 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #140 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #141 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #142 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #143 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #144 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #145 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #146 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #147 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #148 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #149 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #150 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #151 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #152 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #153 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #154 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #155 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #156 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #157 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #158 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #159 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #160 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #161 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #162 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #163 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #164 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #165 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #166 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #167 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #168 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #169 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #170 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #171 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #172 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #173 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #174 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #175 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #176 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #177 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #178 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #179 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #180 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #181 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #182 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #183 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #184 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #185 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #186 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #187 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #188 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #189 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #190 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #191 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #192 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #193 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #194 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #195 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #196 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #197 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #198 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #199 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #200 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #201 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #202 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #203 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #204 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #205 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #206 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #207 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #208 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #209 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #210 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #211 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #212 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #213 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #214 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #215 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #216 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #217 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #218 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #219 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #220 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #221 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #222 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #223 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #224 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #225 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #226 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #227 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #228 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #229 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #230 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #231 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #232 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #233 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #234 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #235 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #236 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #237 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #238 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #239 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #240 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #241 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #242 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #243 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #244 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #245 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15
    #246 0x62641c87e9f9 in node_min_byte_len /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3678:15

SUMMARY: AddressSanitizer: stack-overflow /home/sudhackar/fuzz/jq/vendor/oniguruma/src/regcomp.c:3606 in node_min_byte_len
==152935==ABORTING

Since the attachment in the security advisory is not public I ran a small fuzz session and got this.

$ \cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logo
$ clang-17 --version
Ubuntu clang version 17.0.6 (9ubuntu1)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin

attached is the in file
in.txt

[wader]

Hi, would it be possible for you to re-run with onig_set_parse_depth_limit(1024)

jq/src/main.c

Line 309 in 3c5ceac

onig_set_parse_depth_limit(1024);

to something smaller? 512 or even smaller? i haven't look deep but i would guess it's because the instrumentation added by asan causes more stack usage (even more than what afl uses).

[sudhackar]

I think you might be right and this only needs a fix in the fuzzing harness with something like

diff --git a/tests/jq_fuzz_execute.cpp b/tests/jq_fuzz_execute.cpp
index fafebdb..aa48ef5 100644
--- a/tests/jq_fuzz_execute.cpp
+++ b/tests/jq_fuzz_execute.cpp
@@ -3,6 +3,12 @@

 #include "jq.h"
 #include "jv.h"
+#include "oniguruma.h"
+
+extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) {
+  onig_set_parse_depth_limit(512);
+ return 0;
+}

 // Fuzzer inspired by /src/jq_test.c
 // The goal is to have the fuzzer execute the functions:

I'm not able to trigger or run the main jq with a file that causes this behaviour. I'll minimize this and try to repro with a smaller test case that can be run with jq itself

[sudhackar]

./jq -nf /tmp/out1
jq: error (at <unknown>): Regex failure: parse depth limit over

out.txt

[itchyny]

Is it a bad idea to call this function in builtin.c? The same issue persists in other libjq bindings.

[sudhackar]

Yes. Unless the entrypoint specifically reduces the recursion depth - any call to to the oniguruma regex will have a similar issue. Let me know on where you see this and I'll fix it in the PR linked.