File CVE-2025-48060-2.patch of Package jq.40020

Backport of:

From c6e041699d8cd31b97375a2596217aff2cfca85b Mon Sep 17 00:00:00 2001
From: itchyny <itchyny@cybozu.co.jp>
Date: Sat, 31 May 2025 11:46:40 +0900
Subject: [PATCH] Fix heap buffer overflow when formatting an empty string

The `jv_string_empty` did not properly null-terminate the string data,
which could lead to a heap buffer overflow. The test case of
GHSA-p7rr-28xf-3m5w (`0[""*0]`) was fixed by the commit dc849e9bb74a,
but another case (`0[[]|implode]`) was still vulnerable. This commit
ensures string data is properly null-terminated, and fixes CVE-2025-48060.
---
 src/jv.c      | 1 +
 tests/jq.test | 4 ++++
 2 files changed, 5 insertions(+)

Index: jq-1.6/src/jv.c
===================================================================
--- jq-1.6.orig/src/jv.c
+++ jq-1.6/src/jv.c
@@ -498,6 +498,7 @@ static jv jvp_string_empty_new(uint32_t
   jvp_string* s = jvp_string_alloc(length);
   s->length_hashed = 0;
   memset(s->data, 0, length);
+  s->data[length] = 0;
   jv r = {JV_KIND_STRING, 0, 0, 0, {&s->refcnt}};
   return r;
 }
Index: jq-1.6/tests/jq.test
===================================================================
--- jq-1.6.orig/tests/jq.test
+++ jq-1.6/tests/jq.test
@@ -1532,4 +1532,7 @@ isempty(1,error("foo"))
 null
 false
 
+try 0[implode] catch .
+[]
+"Cannot index number with string \"\""