From 21c804521479c750bdf6d26506964ab3aa207481 Mon Sep 17 00:00:00 2001 From: Ruikai Peng Date: Fri, 20 Mar 2026 14:15:17 +0800 Subject: [PATCH] jinja : fix heap OOB read in value equality comparison (#20782) Address GHSA-q9j6-4hhc-rq9p and GHSA-2q4c-9gq5-5vfp. The three-iterator overload of std::equal in value_array_t::equivalent() and value_object_t::equivalent() reads past the end of the shorter container when comparing arrays or objects of different lengths. Use the four-iterator overload (C++14) which checks both range lengths. Found-by: Pwno --- common/jinja/value.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/jinja/value.h b/common/jinja/value.h index 6cbedefd96..7d164588ad 100644 --- a/common/jinja/value.h +++ b/common/jinja/value.h @@ -451,7 +451,7 @@ struct value_array_t : public value_t { } protected: virtual bool equivalent(const value_t & other) const override { - return typeid(*this) == typeid(other) && is_hashable() && other.is_hashable() && std::equal(val_arr.begin(), val_arr.end(), other.val_arr.begin(), value_equivalence()); + return typeid(*this) == typeid(other) && is_hashable() && other.is_hashable() && std::equal(val_arr.begin(), val_arr.end(), other.val_arr.begin(), other.val_arr.end(), value_equivalence()); } }; using value_array = std::shared_ptr; @@ -587,7 +587,7 @@ struct value_object_t : public value_t { } protected: virtual bool equivalent(const value_t & other) const override { - return typeid(*this) == typeid(other) && is_hashable() && other.is_hashable() && std::equal(val_obj.begin(), val_obj.end(), other.val_obj.begin(), value_equivalence()); + return typeid(*this) == typeid(other) && is_hashable() && other.is_hashable() && std::equal(val_obj.begin(), val_obj.end(), other.val_obj.begin(), other.val_obj.end(), value_equivalence()); } }; using value_object = std::shared_ptr;