From ab3b6496d1de275af1d735aef877ee0077331062 Mon Sep 17 00:00:00 2001
From: Emanuele Torre <torreemanuele6@gmail.com>
Date: Sat, 21 Oct 2023 23:27:40 +0200
Subject: [PATCH] Fix possible uninitialised value dereference if jq_init()
 fails

If jq_init() fails, goto out would try to free input_state which is
uninitialised. I initialised input_state to NULL to fix the problem.

I also fixed jq_util_input_init() not handling OOM errors by returning
NULL, and added code to make jq exit cleanly if it returns NULL. The
code base is filled with these kinds of problems, but this one was easy
to fix, so might as well fix it now...

Ref: https://github.com/jqlang/jq/pull/2934#discussion_r1367795641

Reported-By: Klemens Nanni <kn@openbsd.org>
---
 src/main.c | 10 ++++++++--
 src/util.c | 10 ++++++----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/main.c b/src/main.c
index 226c926ce2..2018b00f32 100644
--- a/src/main.c
+++ b/src/main.c
@@ -310,6 +310,7 @@ int umain(int argc, char* argv[]) {
 int main(int argc, char* argv[]) {
 #endif
   jq_state *jq = NULL;
+  jq_util_input_state *input_state = NULL;
   int ret = JQ_OK_NO_OUTPUT;
   int compiled = 0;
   int parser_flags = 0;
@@ -336,7 +337,7 @@ int main(int argc, char* argv[]) {
 
   jq = jq_init();
   if (jq == NULL) {
-    perror("malloc");
+    perror("jq_init");
     ret = JQ_ERROR_SYSTEM;
     goto out;
   }
@@ -344,7 +345,12 @@ int main(int argc, char* argv[]) {
   int dumpopts = JV_PRINT_INDENT_FLAGS(2);
   const char* program = 0;
 
-  jq_util_input_state *input_state = jq_util_input_init(NULL, NULL); // XXX add err_cb
+  input_state = jq_util_input_init(NULL, NULL); // XXX add err_cb
+  if (input_state == NULL) {
+    perror("jq_util_input_init");
+    ret = JQ_ERROR_SYSTEM;
+    goto out;
+  }
 
   int further_args_are_strings = 0;
   int further_args_are_json = 0;
diff --git a/src/util.c b/src/util.c
index 2f961e3c81..feeea09b44 100644
--- a/src/util.c
+++ b/src/util.c
@@ -226,10 +226,12 @@ jq_util_input_state *jq_util_input_init(jq_util_msg_cb err_cb, void *err_cb_data
     err_cb_data = stderr;
   }
   jq_util_input_state *new_state = jv_mem_calloc(1, sizeof(*new_state));
-  new_state->err_cb = err_cb;
-  new_state->err_cb_data = err_cb_data;
-  new_state->slurped = jv_invalid();
-  new_state->current_filename = jv_invalid();
+  if (new_state) {
+    new_state->err_cb = err_cb;
+    new_state->err_cb_data = err_cb_data;
+    new_state->slurped = jv_invalid();
+    new_state->current_filename = jv_invalid();
+  }
 
   return new_state;
 }