@base64d: fix unhandled overflow

emanuele6 · web-flow · commit 22a03e9e06e7 · 2024-03-27T10:16:15.000+01:00
$ ./jq-before -n '238609295*"|||"|@base64d|"."' src/builtin.c:718:29: runtime error: signed integer overflow: 715827885 * 3 cannot be represented in type 'int' jq: error: cannot allocate memory Aborted (core dumped) $ ./jq-after -n '238609295*"|||"|@base64d|"."' jq: error (at <unknown>): string ("||||||||||...) is not valid base64 data Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67640
diff --git a/src/builtin.c b/src/builtin.c
@@ -715,7 +715,7 @@ static jv f_format(jq_state *jq, jv input, jv fmt) {
     input = f_tostring(jq, input);
     const unsigned char* data = (const unsigned char*)jv_string_value(input);
     int len = jv_string_length_bytes(jv_copy(input));
-    size_t decoded_len = (3 * len) / 4; // 3 usable bytes for every 4 bytes of input
+    size_t decoded_len = (3 * (size_t)len) / 4; // 3 usable bytes for every 4 bytes of input
     char *result = jv_mem_calloc(decoded_len, sizeof(char));
     memset(result, 0, decoded_len * sizeof(char));
     uint32_t ri = 0;
