* [PATCHv2 1/8] jq: patch CVE-2026-49839
@ 2026-06-16 6:27 Anton Skorup
2026-06-16 6:27 ` [PATCH 2/8] jq: patch CVE-2026-41256 Anton Skorup
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://vulert.com/vuln-db/--4743
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
v2
* Added patch to stack of jq CVEs
---
.../jq/jq/CVE-2026-49389.patch | 31 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 32 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
new file mode 100644
index 0000000000..3189158b4a
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-49389.patch
@@ -0,0 +1,31 @@
+From e987df0d463d85fd70825e042a082427e8275b86 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 8 Jun 2026 22:14:48 +0900
+Subject: [PATCH] Fix heap-buffer-overflow in raw file loading
+
+When `jv_string_append_buf` overflows the string length limit,
+it returns an invalid `jv`; `jv_load_file` then re-entered it
+on the invalid value and overran the heap. Break out of the loop
+once the value is invalid.
+
+Fixes CVE-2026-49839.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/e987df0d463d85fd70825e042a082427e8275b86]
+---
+ src/jv_file.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/jv_file.c b/src/jv_file.c
+index 7706b0e06e..fbc1e4d653 100644
+--- a/src/jv_file.c
++++ b/src/jv_file.c
+@@ -57,6 +57,8 @@ jv jv_load_file(const char* filename, int raw) {
+
+ if (raw) {
+ data = jv_string_append_buf(data, buf, n);
++ if (!jv_is_valid(data))
++ break;
+ } else {
+ jv_parser_set_buf(parser, buf, n, !feof(file));
+ jv value;
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 026f6bfa71..0419ccd46d 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33947.patch \
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
+ file://CVE-2026-49389.patch \
"
inherit autotools ptest
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 2/8] jq: patch CVE-2026-41256
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
2026-06-16 6:27 ` [PATCH 3/8] jq: patch CVE-2026-44777 Anton Skorup
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-41256
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-41256.patch | 49 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 50 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch
new file mode 100644
index 0000000000..738a359e6a
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41256.patch
@@ -0,0 +1,49 @@
+From 5a015deae35d19e3ebbc65db6c157a80e76df738 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:15:08 +0900
+Subject: [PATCH] Fix NUL truncation in program files loaded with -f
+
+This fixes CVE-2026-41256.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/5a015deae35d19e3ebbc65db6c157a80e76df738]
+---
+ src/main.c | 8 ++++++++
+ tests/shtest | 7 +++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/src/main.c b/src/main.c
+index ce362607e2..fb5c7ab8e3 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -612,6 +612,14 @@ int main(int argc, char* argv[]) {
+ ret = JQ_ERROR_SYSTEM;
+ goto out;
+ }
++ int len = jv_string_length_bytes(jv_copy(data));
++ if ((size_t)len != strlen(jv_string_value(data))) {
++ fprintf(stderr, "jq: program file contains NUL bytes\n");
++ free(program_origin);
++ jv_free(data);
++ ret = JQ_ERROR_SYSTEM;
++ goto out;
++ }
+ jq_set_attr(jq, jv_string("PROGRAM_ORIGIN"), jq_realpath(jv_string(dirname(program_origin))));
+ ARGS = JV_OBJECT(jv_string("positional"), ARGS,
+ jv_string("named"), jv_copy(program_arguments));
+diff --git a/tests/shtest b/tests/shtest
+index 370f7b7c69..68705df255 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -886,4 +886,11 @@ if printf '{}\x00{}' | $JQ >/dev/null 2> /dev/null; then
+ exit 1
+ fi
+
++# CVE-2026-41256: No NUL truncation in program files loaded with -f
++printf '.\x00invalid' > "$d/nul_prog.jq"
++if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then
++ printf 'Error expected for program file with NUL bytes\n' 1>&2
++ exit 1
++fi
++
+ exit 0
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 0419ccd46d..34616e0af6 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33947.patch \
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
+ file://CVE-2026-41256.patch \
file://CVE-2026-49389.patch \
"
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 3/8] jq: patch CVE-2026-44777
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
2026-06-16 6:27 ` [PATCH 2/8] jq: patch CVE-2026-41256 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
2026-06-16 6:27 ` [PATCH 4/8] jq: patch CVE-2026-43896 Anton Skorup
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-44777
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-44777.patch | 233 ++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 234 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch
new file mode 100644
index 0000000000..f6bf926a0a
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-44777.patch
@@ -0,0 +1,233 @@
+From f58787c41835d9b17795730cb04925fdba25c71c Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Mon, 11 May 2026 20:41:38 +0900
+Subject: [PATCH] Detect circular module imports to prevent stack overflow
+
+jq used to recurse without bound on mutual or self-referential
+`import` declarations, exhausting the stack. Track each library's
+load state with a `loading` flag set before its dependencies are
+processed; a recursive reference to an in-progress library now
+reports "circular import of X".
+
+Fixes CVE-2026-44777.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/f58787c41835d9b17795730cb04925fdba25c71c]
+---
+ Makefile.am | 2 ++
+ src/linker.c | 59 ++++++++++++++++++++++++-------------
+ tests/modules/cycle_a.jq | 2 ++
+ tests/modules/cycle_b.jq | 2 ++
+ tests/modules/cycle_self.jq | 2 ++
+ tests/shtest | 23 +++++++++++++++
+ 6 files changed, 70 insertions(+), 20 deletions(-)
+ create mode 100644 tests/modules/cycle_a.jq
+ create mode 100644 tests/modules/cycle_b.jq
+ create mode 100644 tests/modules/cycle_self.jq
+
+diff --git a/Makefile.am b/Makefile.am
+index acb94435f4..e2321bb196 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -232,6 +232,8 @@ EXTRA_DIST = $(DOC_FILES) $(man_MANS) $(TESTS) $(TEST_LOG_COMPILER) \
+ tests/modules/test_bind_order0.jq \
+ tests/modules/test_bind_order1.jq \
+ tests/modules/test_bind_order2.jq \
++ tests/modules/cycle_a.jq tests/modules/cycle_b.jq \
++ tests/modules/cycle_self.jq \
+ tests/onig.supp tests/local.supp \
+ tests/setup tests/torture/input0.json \
+ tests/optional.test tests/man.test tests/manonig.test \
+diff --git a/src/linker.c b/src/linker.c
+index e9027004cc..03f46db05c 100644
+--- a/src/linker.c
++++ b/src/linker.c
+@@ -20,9 +20,13 @@
+ #include "compile.h"
+ #include "jv_alloc.h"
+
++struct lib_entry {
++ char *name;
++ block def;
++ int loading;
++};
+ struct lib_loading_state {
+- char **names;
+- block *defs;
++ struct lib_entry *entries;
+ uint64_t ct;
+ };
+ static int load_library(jq_state *jq, jv lib_path,
+@@ -303,14 +307,24 @@ static int process_dependencies(jq_state *jq, jv jq_origin, jv lib_origin, block
+ } else {
+ uint64_t state_idx = 0;
+ for (; state_idx < lib_state->ct; ++state_idx) {
+- if (strcmp(lib_state->names[state_idx],jv_string_value(resolved)) == 0)
++ if (strcmp(lib_state->entries[state_idx].name, jv_string_value(resolved)) == 0)
+ break;
+ }
+
+ if (state_idx < lib_state->ct) { // Found
++ if (lib_state->entries[state_idx].loading) {
++ jq_report_error(jq, jv_string_fmt("jq: error: circular import of %s\n",
++ jv_string_value(resolved)));
++ jv_free(resolved);
++ jv_free(as);
++ jv_free(deps);
++ jv_free(jq_origin);
++ jv_free(lib_origin);
++ return 1;
++ }
+ jv_free(resolved);
+ // Bind the library to the program
+- bk = block_bind_library(lib_state->defs[state_idx], bk, OP_IS_CALL_PSEUDO, as_str);
++ bk = block_bind_library(lib_state->entries[state_idx].def, bk, OP_IS_CALL_PSEUDO, as_str);
+ } else { // Not found. Add it to the table before binding.
+ block dep_def_block = gen_noop();
+ nerrors += load_library(jq, resolved, is_data, raw, optional, as_str, &dep_def_block, lib_state);
+@@ -352,32 +366,38 @@ static int load_library(jq_state *jq, jv lib_path, int is_data, int raw, int opt
+ jq_report_error(jq, jv_string_fmt("jq: error loading data file %s: %s\n", jv_string_value(lib_path), jv_string_value(data)));
+ nerrors++;
+ }
+- goto out;
+ } else if (is_data) {
+ // import "foo" as $bar;
+ program = gen_const_global(jv_copy(data), as);
++ state_idx = lib_state->ct++;
++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry));
++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path));
++ lib_state->entries[state_idx].def = program;
++ lib_state->entries[state_idx].loading = 0;
+ } else {
+ // import "foo" as bar;
+ src = locfile_init(jq, jv_string_value(lib_path), jv_string_value(data), jv_string_length_bytes(jv_copy(data)));
+ nerrors += jq_parse_library(src, &program);
+ locfile_free(src);
+ if (nerrors == 0) {
++ // Register the library before processing its dependencies so that
++ // circular imports can be detected.
++ state_idx = lib_state->ct++;
++ lib_state->entries = jv_mem_realloc(lib_state->entries, lib_state->ct * sizeof(struct lib_entry));
++ lib_state->entries[state_idx].name = strdup(jv_string_value(lib_path));
++ lib_state->entries[state_idx].def = gen_noop();
++ lib_state->entries[state_idx].loading = 1;
++
+ char *lib_origin = strdup(jv_string_value(lib_path));
+ nerrors += process_dependencies(jq, jq_get_jq_origin(jq),
+ jv_string(dirname(lib_origin)),
+ &program, lib_state);
+ free(lib_origin);
+ program = block_bind_self(program, OP_IS_CALL_PSEUDO);
++ lib_state->entries[state_idx].def = program;
++ lib_state->entries[state_idx].loading = 0;
+ }
+ }
+- if (nerrors == 0) {
+- state_idx = lib_state->ct++;
+- lib_state->names = jv_mem_realloc(lib_state->names, lib_state->ct * sizeof(const char *));
+- lib_state->defs = jv_mem_realloc(lib_state->defs, lib_state->ct * sizeof(block));
+- lib_state->names[state_idx] = strdup(jv_string_value(lib_path));
+- lib_state->defs[state_idx] = program;
+- }
+-out:
+ *out_block = program;
+ jv_free(lib_path);
+ jv_free(data);
+@@ -415,7 +435,7 @@ jv load_module_meta(jq_state *jq, jv mod_relpath) {
+ int load_program(jq_state *jq, struct locfile* src, block *out_block) {
+ int nerrors = 0;
+ block program;
+- struct lib_loading_state lib_state = {0,0,0};
++ struct lib_loading_state lib_state = {0,0};
+ nerrors = jq_parse(src, &program);
+ if (nerrors)
+ return nerrors;
+@@ -441,14 +461,13 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) {
+ nerrors = process_dependencies(jq, jq_get_jq_origin(jq), jq_get_prog_origin(jq), &program, &lib_state);
+ block libs = gen_noop();
+ for (uint64_t i = 0; i < lib_state.ct; ++i) {
+- free(lib_state.names[i]);
+- if (nerrors == 0 && !block_is_const(lib_state.defs[i]))
+- libs = block_join(libs, lib_state.defs[i]);
++ free(lib_state.entries[i].name);
++ if (nerrors == 0 && !block_is_const(lib_state.entries[i].def))
++ libs = block_join(libs, lib_state.entries[i].def);
+ else
+- block_free(lib_state.defs[i]);
++ block_free(lib_state.entries[i].def);
+ }
+- free(lib_state.names);
+- free(lib_state.defs);
++ free(lib_state.entries);
+ if (nerrors)
+ block_free(program);
+ else
+diff --git a/tests/modules/cycle_a.jq b/tests/modules/cycle_a.jq
+new file mode 100644
+index 0000000000..30c1deaedf
+--- /dev/null
++++ b/tests/modules/cycle_a.jq
+@@ -0,0 +1,2 @@
++import "cycle_b" as b;
++def f: null;
+diff --git a/tests/modules/cycle_b.jq b/tests/modules/cycle_b.jq
+new file mode 100644
+index 0000000000..3fdc360fcd
+--- /dev/null
++++ b/tests/modules/cycle_b.jq
+@@ -0,0 +1,2 @@
++import "cycle_a" as a;
++def f: null;
+diff --git a/tests/modules/cycle_self.jq b/tests/modules/cycle_self.jq
+new file mode 100644
+index 0000000000..8365eab1a4
+--- /dev/null
++++ b/tests/modules/cycle_self.jq
+@@ -0,0 +1,2 @@
++import "cycle_self" as s;
++def f: null;
+diff --git a/tests/shtest b/tests/shtest
+index fa972de870..aca82790bc 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -382,17 +382,40 @@ if ! HOME="$mods/home2" $VALGRIND $Q $JQ -n 'include "g"; empty'; then
+ exit 1
+ fi
+
++(
+ cd "$JQBASEDIR" # so that relative library paths are guaranteed correct
+ if ! $VALGRIND $Q $JQ -L ./tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then
+ echo "Issue #817 regression?" 1>&2
+ exit 1
+ fi
++)
+
++(
+ cd "$JQBASEDIR"
+ if ! $VALGRIND $Q $JQ -L tests/modules -ne 'import "test_bind_order" as check; check::check==true'; then
+ echo "Issue #817 regression?" 1>&2
+ exit 1
+ fi
++)
++
++# CVE-2026-44777: Circular imports should be detected
++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_a" as a; null' 2> $d/out; then
++ echo "Mutual import should be rejected" 1>&2
++ exit 1
++fi
++if ! grep -q "circular import" $d/out; then
++ echo "Expected circular import error" 1>&2
++ exit 1
++fi
++
++if $VALGRIND $JQ -L "$mods" -ne 'import "cycle_self" as s; null' 2> $d/out; then
++ echo "Self import should be rejected" 1>&2
++ exit 1
++fi
++if ! grep -q "circular import" $d/out; then
++ echo "Expected circular import error" 1>&2
++ exit 1
++fi
+
+ ## Halt
+
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 34616e0af6..2e6c3a3eea 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
file://CVE-2026-41256.patch \
+ file://CVE-2026-44777.patch \
file://CVE-2026-49389.patch \
"
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 4/8] jq: patch CVE-2026-43896
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
2026-06-16 6:27 ` [PATCH 2/8] jq: patch CVE-2026-41256 Anton Skorup
2026-06-16 6:27 ` [PATCH 3/8] jq: patch CVE-2026-44777 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
2026-06-16 6:27 ` [PATCH 5/8] jq: patch CVE-2026-41257 Anton Skorup
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43896
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-43896.patch | 82 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 83 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
new file mode 100644
index 0000000000..318c86a121
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43896.patch
@@ -0,0 +1,82 @@
+From 532ccea6080ed6758f39fe9f6208a44b665023d2 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Tue, 5 May 2026 22:44:02 +0900
+Subject: [PATCH] Limit recursive object merge depth to prevent stack overflow
+
+This fixes CVE-2026-43896.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/532ccea6080ed6758f39fe9f6208a44b665023d2]
+---
+ src/jv.c | 25 +++++++++++++++++++++++--
+ tests/jq.test | 9 +++++++++
+ 2 files changed, 32 insertions(+), 2 deletions(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index feb68d1a1c..84fafef666 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -1899,16 +1899,33 @@ jv jv_object_merge(jv a, jv b) {
+ return a;
+ }
+
+-jv jv_object_merge_recursive(jv a, jv b) {
++#ifndef MAX_OBJECT_MERGE_DEPTH
++#define MAX_OBJECT_MERGE_DEPTH (10000)
++#endif
++
++static jv jvp_object_merge_recursive(jv a, jv b, int depth) {
+ assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+ assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+
++ if (depth > MAX_OBJECT_MERGE_DEPTH) {
++ jv_free(a);
++ jv_free(b);
++ return jv_invalid_with_msg(jv_string("Object merge too deep"));
++ }
++
+ jv_object_foreach(b, k, v) {
+ jv elem = jv_object_get(jv_copy(a), jv_copy(k));
+ if (jv_is_valid(elem) &&
+ JVP_HAS_KIND(elem, JV_KIND_OBJECT) &&
+ JVP_HAS_KIND(v, JV_KIND_OBJECT)) {
+- a = jv_object_set(a, k, jv_object_merge_recursive(elem, v));
++ jv merged = jvp_object_merge_recursive(elem, v, depth + 1);
++ if (!jv_is_valid(merged)) {
++ jv_free(k);
++ jv_free(a);
++ jv_free(b);
++ return merged;
++ }
++ a = jv_object_set(a, k, merged);
+ } else {
+ jv_free(elem);
+ a = jv_object_set(a, k, v);
+@@ -1919,6 +1936,10 @@ jv jv_object_merge_recursive(jv a, jv b) {
+ return a;
+ }
+
++jv jv_object_merge_recursive(jv a, jv b) {
++ return jvp_object_merge_recursive(a, b, 0);
++}
++
+ /*
+ * Object iteration (internal helpers)
+ */
+diff --git a/tests/jq.test b/tests/jq.test
+index 8094a5b6eb..9a80341f52 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2602,3 +2602,12 @@ true
+ try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch .
+ null
+ "Containment check too deep"
++
++# regression test for CVE-2026-43896
++reduce range(10000) as $_ ({}; {a: .}) as $x | $x * $x | length
++null
++1
++
++try (reduce range(10001) as $_ ({}; {a: .}) as $x | $x * $x) catch .
++null
++"Object merge too deep"
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 2e6c3a3eea..082a827041 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
file://CVE-2026-41256.patch \
+ file://CVE-2026-43896.patch \
file://CVE-2026-44777.patch \
file://CVE-2026-49389.patch \
"
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 5/8] jq: patch CVE-2026-41257
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
` (2 preceding siblings ...)
2026-06-16 6:27 ` [PATCH 4/8] jq: patch CVE-2026-43896 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
2026-06-16 6:27 ` [PATCH 6/8] jq: patch CVE-2026-40612 Anton Skorup
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-41257
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-41257.patch | 52 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch
new file mode 100644
index 0000000000..8bf3ecd325
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-41257.patch
@@ -0,0 +1,52 @@
+From 01b3cded76daacbfddb7f8763700b0803bcb5c6f Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:09:44 +0900
+Subject: [PATCH] Fix signed-int overflow in `stack_reallocate`
+
+This fixes CVE-2026-41257.
+
+Signed-off-by: Anton Skorup <anton.skorup@axis.com>
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/01b3cded76daacbfddb7f8763700b0803bcb5c6f]
+---
+ src/exec_stack.h | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/exec_stack.h b/src/exec_stack.h
+index 2a063e8cf9..159c56e4fb 100644
+--- a/src/exec_stack.h
++++ b/src/exec_stack.h
+@@ -2,8 +2,10 @@
+ #define EXEC_STACK_H
+ #include <stddef.h>
+ #include <stdint.h>
++#include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
++#include <limits.h>
+ #include "jv_alloc.h"
+
+ /*
+@@ -81,15 +83,19 @@ static stack_ptr* stack_block_next(struct stack* s, stack_ptr p) {
+ }
+
+ static void stack_reallocate(struct stack* s, size_t sz) {
+- int old_mem_length = -(s->bound) + ALIGNMENT;
+- char* old_mem_start = (s->mem_end != NULL) ? (s->mem_end - old_mem_length) : NULL;
++ size_t old_mem_length = (size_t)(-(s->bound)) + ALIGNMENT;
++ char* old_mem_start = s->mem_end != NULL ? s->mem_end - old_mem_length : NULL;
+
+- int new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
++ size_t new_mem_length = align_round_up((old_mem_length + sz + 256) * 2);
++ if (new_mem_length > INT_MAX) {
++ fprintf(stderr, "jq: error: cannot allocate memory\n");
++ abort();
++ }
+ char* new_mem_start = jv_mem_realloc(old_mem_start, new_mem_length);
+ memmove(new_mem_start + (new_mem_length - old_mem_length),
+ new_mem_start, old_mem_length);
+ s->mem_end = new_mem_start + new_mem_length;
+- s->bound = -(new_mem_length - ALIGNMENT);
++ s->bound = -(int)(new_mem_length - ALIGNMENT);
+ }
+
+ static stack_ptr stack_push_block(struct stack* s, stack_ptr p, size_t sz) {
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 082a827041..bb4601b667 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -18,6 +18,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
file://CVE-2026-41256.patch \
+ file://CVE-2026-41257.patch \
file://CVE-2026-43896.patch \
file://CVE-2026-44777.patch \
file://CVE-2026-49389.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 6/8] jq: patch CVE-2026-40612
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
` (3 preceding siblings ...)
2026-06-16 6:27 ` [PATCH 5/8] jq: patch CVE-2026-41257 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
2026-06-16 6:27 ` [PATCH 7/8] jq: patch CVE-2026-43894 Anton Skorup
2026-06-16 6:27 ` [PATCH 8/8] jq: patch CVE-2026-43895 Anton Skorup
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-40612
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-40612.patch | 136 ++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 137 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
new file mode 100644
index 0000000000..4078b8b10d
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-40612.patch
@@ -0,0 +1,136 @@
+From d1a12569d91641135976a8536776a4a329c02cc2 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Fri, 24 Apr 2026 22:02:24 +0900
+Subject: [PATCH] Limit the containment check depth
+
+This fixes CVE-2026-40612.
+
+Signed-off-by: Anton Skorup
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/d1a12569d91641135976a8536776a4a329c02cc2]
+---
+ src/builtin.c | 5 ++++-
+ src/jv.c | 40 +++++++++++++++++++++++++++-------------
+ tests/jq.test | 9 +++++++++
+ 3 files changed, 40 insertions(+), 14 deletions(-)
+
+diff --git a/src/builtin.c b/src/builtin.c
+index d33e9fb162..2b2a2d40da 100644
+--- a/src/builtin.c
++++ b/src/builtin.c
+@@ -421,7 +421,10 @@ jv binop_greatereq(jv a, jv b) {
+
+ static jv f_contains(jq_state *jq, jv a, jv b) {
+ if (jv_get_kind(a) == jv_get_kind(b)) {
+- return jv_bool(jv_contains(a, b));
++ int r = jv_contains(a, b);
++ if (r < 0)
++ return jv_invalid_with_msg(jv_string("Containment check too deep"));
++ return jv_bool(r);
+ } else {
+ return type_error2(a, b, "cannot have their containment checked");
+ }
+diff --git a/src/jv.c b/src/jv.c
+index 607ac174f7..4b18c00cf6 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -938,19 +938,19 @@ static void jvp_clamp_slice_params(int len, int *pstart, int *pend)
+ }
+
+
+-static int jvp_array_contains(jv a, jv b) {
++static int jvp_contains(jv a, jv b, int depth);
++
++static int jvp_array_contains(jv a, jv b, int depth) {
+ int r = 1;
+ jv_array_foreach(b, bi, belem) {
+ int ri = 0;
+ jv_array_foreach(a, ai, aelem) {
+- if (jv_contains(aelem, jv_copy(belem))) {
+- ri = 1;
+- break;
+- }
++ ri = jvp_contains(aelem, jv_copy(belem), depth);
++ if (ri) break;
+ }
+ jv_free(belem);
+- if (!ri) {
+- r = 0;
++ if (ri <= 0) {
++ r = ri;
+ break;
+ }
+ }
+@@ -1844,7 +1844,7 @@ static int jvp_object_equal(jv o1, jv o2) {
+ return len1 == len2;
+ }
+
+-static int jvp_object_contains(jv a, jv b) {
++static int jvp_object_contains(jv a, jv b, int depth) {
+ assert(JVP_HAS_KIND(a, JV_KIND_OBJECT));
+ assert(JVP_HAS_KIND(b, JV_KIND_OBJECT));
+ int r = 1;
+@@ -1852,9 +1852,9 @@ static int jvp_object_contains(jv a, jv b) {
+ jv_object_foreach(b, key, b_val) {
+ jv a_val = jv_object_get(jv_copy(a), key);
+
+- r = jv_contains(a_val, b_val);
++ r = jvp_contains(a_val, b_val, depth);
+
+- if (!r) break;
++ if (r <= 0) break;
+ }
+ return r;
+ }
+@@ -2086,14 +2086,23 @@ int jv_identical(jv a, jv b) {
+ return r;
+ }
+
+-int jv_contains(jv a, jv b) {
++#ifndef MAX_CONTAINS_DEPTH
++#define MAX_CONTAINS_DEPTH (10000)
++#endif
++
++static int jvp_contains(jv a, jv b, int depth) {
++ if (depth > MAX_CONTAINS_DEPTH) {
++ jv_free(a);
++ jv_free(b);
++ return -1;
++ }
+ int r = 1;
+ if (jv_get_kind(a) != jv_get_kind(b)) {
+ r = 0;
+ } else if (JVP_HAS_KIND(a, JV_KIND_OBJECT)) {
+- r = jvp_object_contains(a, b);
++ r = jvp_object_contains(a, b, depth + 1);
+ } else if (JVP_HAS_KIND(a, JV_KIND_ARRAY)) {
+- r = jvp_array_contains(a, b);
++ r = jvp_array_contains(a, b, depth + 1);
+ } else if (JVP_HAS_KIND(a, JV_KIND_STRING)) {
+ int b_len = jv_string_length_bytes(jv_copy(b));
+ if (b_len != 0) {
+@@ -2109,3 +2118,8 @@ int jv_contains(jv a, jv b) {
+ jv_free(b);
+ return r;
+ }
++
++// Returns 1 (contained), 0 (not contained), or -1 (too deep)
++int jv_contains(jv a, jv b) {
++ return jvp_contains(a, b, 0);
++}
+diff --git a/tests/jq.test b/tests/jq.test
+index 0cd5198f8d..8094a5b6eb 100644
+--- a/tests/jq.test
++++ b/tests/jq.test
+@@ -2593,3 +2593,12 @@ null
+ try delpaths([[range(10001) | 0]]) catch .
+ null
+ "Path too deep"
++
++# regression test for CVE-2026-40612
++reduce range(10000) as $_ ([]; [.]) | contains([[]])
++null
++true
++
++try (reduce range(10001) as $_ ([]; [.]) as $x | $x | contains($x)) catch .
++null
++"Containment check too deep"
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index bb4601b667..0653dcd1f1 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -17,6 +17,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-33947.patch \
file://CVE-2026-33948.patch \
file://CVE-2026-39979.patch \
+ file://CVE-2026-40612.patch \
file://CVE-2026-41256.patch \
file://CVE-2026-41257.patch \
file://CVE-2026-43896.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 7/8] jq: patch CVE-2026-43894
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
` (4 preceding siblings ...)
2026-06-16 6:27 ` [PATCH 6/8] jq: patch CVE-2026-40612 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
2026-06-16 6:27 ` [PATCH 8/8] jq: patch CVE-2026-43895 Anton Skorup
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43894
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-43894.patch | 52 +++++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 53 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch
new file mode 100644
index 0000000000..3b73647de0
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43894.patch
@@ -0,0 +1,52 @@
+From 9761ceb7d6cc48c16b25f0ab1baaef0e701927e4 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Wed, 6 May 2026 19:45:24 +0900
+Subject: [PATCH] Reject numeric literals longer than DEC_MAX_DIGITS
+ (999999999)
+
+A signed-int overflow in decNumber's D2U macro lets huge literals
+write attacker-controlled bytes past a stack buffer. Cap the length
+before calling decNumberFromString, and pre-slice long strings in
+jv_dump_string_trunc so the resulting error message doesn't itself
+allocate a multi-GiB buffer.
+
+Fixes CVE-2026-43894.
+
+Signed-off-by: Anton Skorup
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9761ceb7d6cc48c16b25f0ab1baaef0e701927e4]
+---
+ src/jv.c | 5 ++++-
+ src/jv_print.c | 4 ++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/jv.c b/src/jv.c
+index 84fafef666..074ee310c5 100644
+--- a/src/jv.c
++++ b/src/jv.c
+@@ -570,7 +570,10 @@ static jvp_literal_number* jvp_literal_number_alloc(unsigned literal_length) {
+ }
+
+ static jv jvp_literal_number_new(const char * literal) {
+- jvp_literal_number* n = jvp_literal_number_alloc(strlen(literal));
++ size_t len = strlen(literal);
++ if (len > DEC_MAX_DIGITS)
++ return JV_INVALID;
++ jvp_literal_number* n = jvp_literal_number_alloc(len);
+
+ decContext *ctx = DEC_CONTEXT();
+ decContextClearStatus(ctx, DEC_Conversion_syntax);
+diff --git a/src/jv_print.c b/src/jv_print.c
+index 5c86c5d97c..bc251070f7 100644
+--- a/src/jv_print.c
++++ b/src/jv_print.c
+@@ -410,6 +410,10 @@ jv jv_dump_string(jv x, int flags) {
+
+ char *jv_dump_string_trunc(jv x, char *outbuf, size_t bufsize) {
+ assert(bufsize > 0);
++ if (jv_get_kind(x) == JV_KIND_STRING &&
++ (size_t)jv_string_length_bytes(jv_copy(x)) > bufsize) {
++ x = jv_string_slice(x, 0, bufsize);
++ }
+ x = jv_dump_string(x, 0);
+ const char *str = jv_string_value(x);
+ const size_t len = strlen(str);
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 0653dcd1f1..0e3e22c65b 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-40612.patch \
file://CVE-2026-41256.patch \
file://CVE-2026-41257.patch \
+ file://CVE-2026-43894.patch \
file://CVE-2026-43896.patch \
file://CVE-2026-44777.patch \
file://CVE-2026-49389.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH 8/8] jq: patch CVE-2026-43895
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
` (5 preceding siblings ...)
2026-06-16 6:27 ` [PATCH 7/8] jq: patch CVE-2026-43894 Anton Skorup
@ 2026-06-16 6:27 ` Anton Skorup
6 siblings, 0 replies; 8+ messages in thread
From: Anton Skorup @ 2026-06-16 6:27 UTC (permalink / raw)
To: openembedded-devel; +Cc: Anton Skorup, Anton Skorup
From: Anton Skorup <anton@skorup.se>
CVE details: https://www.cve.org/CVERecord?id=CVE-2026-43895
Signed-off-by: Anton Skorup <anton.skorup@axis.com>
---
.../jq/jq/CVE-2026-43895.patch | 1537 +++++++++++++++++
meta-oe/recipes-devtools/jq/jq_1.8.1.bb | 1 +
2 files changed, 1538 insertions(+)
create mode 100644 meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch
diff --git a/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch
new file mode 100644
index 0000000000..8b58c8e95e
--- /dev/null
+++ b/meta-oe/recipes-devtools/jq/jq/CVE-2026-43895.patch
@@ -0,0 +1,1537 @@
+From 9d223f153c3632a207fa071caaa6292da33ae361 Mon Sep 17 00:00:00 2001
+From: itchyny <itchyny@cybozu.co.jp>
+Date: Sat, 9 May 2026 17:08:43 +0900
+Subject: [PATCH] Reject embedded NUL bytes in module import paths
+
+jq accepts embedded NUL bytes at the language level but resolves
+module import paths through NUL-terminated C strings, so the path
+validated by policy or audit code could differ from the on-disk
+path jq actually opens. Pass jv through gen_import so the AST
+preserves the original bytes, and reject embedded NULs in
+validate_relpath.
+
+Fixes CVE-2026-43895.
+
+Signed-off-by: Anton Skorup
+Upstream-Status: Backport [https://github.com/jqlang/jq/commit/9d223f153c3632a207fa071caaa6292da33ae361]
+---
+ src/compile.c | 12 +-
+ src/compile.h | 2 +-
+ src/linker.c | 6 +-
+ src/parser.c | 556 +++++++++++++++++++++++++-------------------------
+ src/parser.y | 16 +-
+ tests/shtest | 17 ++
+ 6 files changed, 307 insertions(+), 302 deletions(-)
+
+diff --git a/src/compile.c b/src/compile.c
+index 5e64946b3e..80b723c119 100644
+--- a/src/compile.c
++++ b/src/compile.c
+@@ -525,13 +525,17 @@ jv block_module_meta(block b) {
+ return jv_null();
+ }
+
+-block gen_import(const char* name, const char* as, int is_data) {
++block gen_import(jv name, jv as, int is_data) {
++ assert(jv_get_kind(name) == JV_KIND_STRING);
++ assert(!jv_is_valid(as) || jv_get_kind(as) == JV_KIND_STRING);
+ inst* i = inst_new(DEPS);
+ jv meta = jv_object();
+- if (as != NULL)
+- meta = jv_object_set(meta, jv_string("as"), jv_string(as));
++ if (jv_is_valid(as))
++ meta = jv_object_set(meta, jv_string("as"), as);
++ else
++ jv_free(as);
+ meta = jv_object_set(meta, jv_string("is_data"), is_data ? jv_true() : jv_false());
+- meta = jv_object_set(meta, jv_string("relpath"), jv_string(name));
++ meta = jv_object_set(meta, jv_string("relpath"), name);
+ i->imm.constant = meta;
+ return inst_block(i);
+ }
+diff --git a/src/compile.h b/src/compile.h
+index bef46328a7..d195e9e2e8 100644
+--- a/src/compile.h
++++ b/src/compile.h
+@@ -33,7 +33,7 @@ block gen_op_pushk_under(jv constant);
+
+ block gen_module(block metadata);
+ jv block_module_meta(block b);
+-block gen_import(const char* name, const char *as, int is_data);
++block gen_import(jv name, jv as, int is_data);
+ block gen_import_meta(block import, block metadata);
+ block gen_function(const char* name, block formals, block body);
+ block gen_param_regular(const char* name);
+diff --git a/src/linker.c b/src/linker.c
+index cfd74d1d48..e9027004cc 100644
+--- a/src/linker.c
++++ b/src/linker.c
+@@ -93,6 +93,10 @@ static jv build_lib_search_chain(jq_state *jq, jv search_path, jv jq_origin, jv
+ // in between).
+ static jv validate_relpath(jv name) {
+ const char *s = jv_string_value(name);
++ if (strlen(s) != (size_t)jv_string_length_bytes(jv_copy(name))) {
++ jv_free(name);
++ return jv_invalid_with_msg(jv_string("Module path contains a NUL byte"));
++ }
+ if (strchr(s, '\\')) {
+ jv res = jv_invalid_with_msg(jv_string_fmt("Modules must be named by relative paths using '/', not '\\' (%s)", s));
+ jv_free(name);
+@@ -425,7 +429,7 @@ int load_program(jq_state *jq, struct locfile* src, block *out_block) {
+ jv home = get_home();
+ if (jv_is_valid(home)) {
+ /* Import ~/.jq as a library named "" found in $HOME or %USERPROFILE% */
+- block import = gen_import_meta(gen_import("", NULL, 0),
++ block import = gen_import_meta(gen_import(jv_string(""), jv_invalid(), 0),
+ gen_const(JV_OBJECT(
+ jv_string("optional"), jv_true(),
+ jv_string("search"), home)));
+diff --git a/src/parser.c b/src/parser.c
+index c90e313420..9c60173e27 100644
+--- a/src/parser.c
++++ b/src/parser.c
+@@ -937,19 +937,19 @@ static const yytype_int16 yyrline[] =
+ 325, 328, 331, 337, 340, 343, 349, 352, 355, 358,
+ 361, 364, 367, 370, 373, 376, 379, 382, 385, 388,
+ 391, 394, 397, 400, 403, 406, 409, 412, 415, 421,
+- 424, 441, 450, 457, 465, 476, 481, 487, 490, 495,
+- 499, 506, 509, 515, 522, 525, 528, 534, 537, 540,
+- 546, 549, 552, 560, 564, 567, 570, 573, 576, 579,
+- 582, 585, 588, 592, 598, 601, 604, 607, 610, 613,
+- 616, 619, 622, 625, 628, 631, 634, 637, 640, 643,
+- 646, 649, 652, 655, 658, 661, 664, 671, 674, 677,
+- 680, 683, 687, 690, 694, 712, 716, 720, 723, 735,
+- 740, 741, 742, 743, 746, 749, 754, 759, 762, 767,
+- 770, 775, 779, 782, 787, 790, 795, 798, 803, 806,
+- 809, 812, 815, 818, 826, 832, 835, 838, 841, 844,
+- 847, 850, 853, 856, 859, 862, 865, 868, 871, 874,
+- 877, 880, 883, 889, 892, 895, 900, 903, 906, 909,
+- 913, 918, 922, 926, 930, 934, 942, 948, 951
++ 424, 441, 445, 449, 455, 466, 471, 477, 480, 485,
++ 489, 496, 499, 505, 512, 515, 518, 524, 527, 530,
++ 536, 539, 542, 550, 554, 557, 560, 563, 566, 569,
++ 572, 575, 578, 582, 588, 591, 594, 597, 600, 603,
++ 606, 609, 612, 615, 618, 621, 624, 627, 630, 633,
++ 636, 639, 642, 645, 648, 651, 654, 661, 664, 667,
++ 670, 673, 677, 680, 684, 702, 706, 710, 713, 725,
++ 730, 731, 732, 733, 736, 739, 744, 749, 752, 757,
++ 760, 765, 769, 772, 777, 780, 785, 788, 793, 796,
++ 799, 802, 805, 808, 816, 822, 825, 828, 831, 834,
++ 837, 840, 843, 846, 849, 852, 855, 858, 861, 864,
++ 867, 870, 873, 879, 882, 885, 890, 893, 896, 899,
++ 903, 908, 912, 916, 920, 924, 932, 938, 941
+ };
+ #endif
+
+@@ -2841,42 +2841,32 @@ YYLTYPE yylloc = yyloc_default;
+ case 41: /* ImportWhat: "import" ImportFrom "as" BINDING */
+ #line 441 "src/parser.y"
+ {
+- jv v = block_const((yyvsp[-2].blk));
+- // XXX Make gen_import take only blocks and the int is_data so we
+- // don't have to free so much stuff here
+- (yyval.blk) = gen_import(jv_string_value(v), jv_string_value((yyvsp[0].literal)), 1);
++ (yyval.blk) = gen_import(block_const((yyvsp[-2].blk)), (yyvsp[0].literal), 1);
+ block_free((yyvsp[-2].blk));
+- jv_free((yyvsp[0].literal));
+- jv_free(v);
+ }
+-#line 2853 "src/parser.c"
++#line 2848 "src/parser.c"
+ break;
+
+ case 42: /* ImportWhat: "import" ImportFrom "as" IDENT */
+-#line 450 "src/parser.y"
++#line 445 "src/parser.y"
+ {
+- jv v = block_const((yyvsp[-2].blk));
+- (yyval.blk) = gen_import(jv_string_value(v), jv_string_value((yyvsp[0].literal)), 0);
++ (yyval.blk) = gen_import(block_const((yyvsp[-2].blk)), (yyvsp[0].literal), 0);
+ block_free((yyvsp[-2].blk));
+- jv_free((yyvsp[0].literal));
+- jv_free(v);
+ }
+-#line 2865 "src/parser.c"
++#line 2857 "src/parser.c"
+ break;
+
+ case 43: /* ImportWhat: "include" ImportFrom */
+-#line 457 "src/parser.y"
++#line 449 "src/parser.y"
+ {
+- jv v = block_const((yyvsp[0].blk));
+- (yyval.blk) = gen_import(jv_string_value(v), NULL, 0);
++ (yyval.blk) = gen_import(block_const((yyvsp[0].blk)), jv_invalid(), 0);
+ block_free((yyvsp[0].blk));
+- jv_free(v);
+ }
+-#line 2876 "src/parser.c"
++#line 2866 "src/parser.c"
+ break;
+
+ case 44: /* ImportFrom: String */
+-#line 465 "src/parser.y"
++#line 455 "src/parser.y"
+ {
+ if (!block_is_const((yyvsp[0].blk))) {
+ FAIL((yylsp[0]), "Import path must be constant");
+@@ -2886,152 +2876,152 @@ YYLTYPE yylloc = yyloc_default;
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+ }
+-#line 2890 "src/parser.c"
++#line 2880 "src/parser.c"
+ break;
+
+ case 45: /* FuncDef: "def" IDENT ':' Query ';' */
+-#line 476 "src/parser.y"
++#line 466 "src/parser.y"
+ {
+ (yyval.blk) = gen_function(jv_string_value((yyvsp[-3].literal)), gen_noop(), (yyvsp[-1].blk));
+ jv_free((yyvsp[-3].literal));
+ }
+-#line 2899 "src/parser.c"
++#line 2889 "src/parser.c"
+ break;
+
+ case 46: /* FuncDef: "def" IDENT '(' Params ')' ':' Query ';' */
+-#line 481 "src/parser.y"
++#line 471 "src/parser.y"
+ {
+ (yyval.blk) = gen_function(jv_string_value((yyvsp[-6].literal)), (yyvsp[-4].blk), (yyvsp[-1].blk));
+ jv_free((yyvsp[-6].literal));
+ }
+-#line 2908 "src/parser.c"
++#line 2898 "src/parser.c"
+ break;
+
+ case 47: /* Params: Param */
+-#line 487 "src/parser.y"
++#line 477 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 2916 "src/parser.c"
++#line 2906 "src/parser.c"
+ break;
+
+ case 48: /* Params: Params ';' Param */
+-#line 490 "src/parser.y"
++#line 480 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 2924 "src/parser.c"
++#line 2914 "src/parser.c"
+ break;
+
+ case 49: /* Param: BINDING */
+-#line 495 "src/parser.y"
++#line 485 "src/parser.y"
+ {
+ (yyval.blk) = gen_param_regular(jv_string_value((yyvsp[0].literal)));
+ jv_free((yyvsp[0].literal));
+ }
+-#line 2933 "src/parser.c"
++#line 2923 "src/parser.c"
+ break;
+
+ case 50: /* Param: IDENT */
+-#line 499 "src/parser.y"
++#line 489 "src/parser.y"
+ {
+ (yyval.blk) = gen_param(jv_string_value((yyvsp[0].literal)));
+ jv_free((yyvsp[0].literal));
+ }
+-#line 2942 "src/parser.c"
++#line 2932 "src/parser.c"
+ break;
+
+ case 51: /* StringStart: FORMAT QQSTRING_START */
+-#line 506 "src/parser.y"
++#line 496 "src/parser.y"
+ {
+ (yyval.literal) = (yyvsp[-1].literal);
+ }
+-#line 2950 "src/parser.c"
++#line 2940 "src/parser.c"
+ break;
+
+ case 52: /* StringStart: QQSTRING_START */
+-#line 509 "src/parser.y"
++#line 499 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("text");
+ }
+-#line 2958 "src/parser.c"
++#line 2948 "src/parser.c"
+ break;
+
+ case 53: /* String: StringStart QQString QQSTRING_END */
+-#line 515 "src/parser.y"
++#line 505 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[-1].blk);
+ jv_free((yyvsp[-2].literal));
+ }
+-#line 2967 "src/parser.c"
++#line 2957 "src/parser.c"
+ break;
+
+ case 54: /* QQString: %empty */
+-#line 522 "src/parser.y"
++#line 512 "src/parser.y"
+ {
+ (yyval.blk) = gen_const(jv_string(""));
+ }
+-#line 2975 "src/parser.c"
++#line 2965 "src/parser.c"
+ break;
+
+ case 55: /* QQString: QQString QQSTRING_TEXT */
+-#line 525 "src/parser.y"
++#line 515 "src/parser.y"
+ {
+ (yyval.blk) = gen_binop((yyvsp[-1].blk), gen_const((yyvsp[0].literal)), '+');
+ }
+-#line 2983 "src/parser.c"
++#line 2973 "src/parser.c"
+ break;
+
+ case 56: /* QQString: QQString QQSTRING_INTERP_START Query QQSTRING_INTERP_END */
+-#line 528 "src/parser.y"
++#line 518 "src/parser.y"
+ {
+ (yyval.blk) = gen_binop((yyvsp[-3].blk), gen_format((yyvsp[-1].blk), jv_copy((yyvsp[-4].literal))), '+');
+ }
+-#line 2991 "src/parser.c"
++#line 2981 "src/parser.c"
+ break;
+
+ case 57: /* ElseBody: "elif" Query "then" Query ElseBody */
+-#line 534 "src/parser.y"
++#line 524 "src/parser.y"
+ {
+ (yyval.blk) = gen_cond((yyvsp[-3].blk), (yyvsp[-1].blk), (yyvsp[0].blk));
+ }
+-#line 2999 "src/parser.c"
++#line 2989 "src/parser.c"
+ break;
+
+ case 58: /* ElseBody: "else" Query "end" */
+-#line 537 "src/parser.y"
++#line 527 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[-1].blk);
+ }
+-#line 3007 "src/parser.c"
++#line 2997 "src/parser.c"
+ break;
+
+ case 59: /* ElseBody: "end" */
+-#line 540 "src/parser.y"
++#line 530 "src/parser.y"
+ {
+ (yyval.blk) = gen_noop();
+ }
+-#line 3015 "src/parser.c"
++#line 3005 "src/parser.c"
+ break;
+
+ case 60: /* Term: '.' */
+-#line 546 "src/parser.y"
++#line 536 "src/parser.y"
+ {
+ (yyval.blk) = gen_noop();
+ }
+-#line 3023 "src/parser.c"
++#line 3013 "src/parser.c"
+ break;
+
+ case 61: /* Term: ".." */
+-#line 549 "src/parser.y"
++#line 539 "src/parser.y"
+ {
+ (yyval.blk) = gen_call("recurse", gen_noop());
+ }
+-#line 3031 "src/parser.c"
++#line 3021 "src/parser.c"
+ break;
+
+ case 62: /* Term: "break" BINDING */
+-#line 552 "src/parser.y"
++#line 542 "src/parser.y"
+ {
+ jv v = jv_string_fmt("*label-%s", jv_string_value((yyvsp[0].literal))); // impossible symbol
+ (yyval.blk) = gen_location((yyloc), locations,
+@@ -3040,279 +3030,279 @@ YYLTYPE yylloc = yyloc_default;
+ jv_free(v);
+ jv_free((yyvsp[0].literal));
+ }
+-#line 3044 "src/parser.c"
++#line 3034 "src/parser.c"
+ break;
+
+ case 63: /* Term: "break" error */
+-#line 560 "src/parser.y"
++#line 550 "src/parser.y"
+ {
+ FAIL((yyloc), "break requires a label to break to");
+ (yyval.blk) = gen_noop();
+ }
+-#line 3053 "src/parser.c"
++#line 3043 "src/parser.c"
+ break;
+
+ case 64: /* Term: Term FIELD '?' */
+-#line 564 "src/parser.y"
++#line 554 "src/parser.y"
+ {
+ (yyval.blk) = gen_index_opt((yyvsp[-2].blk), gen_const((yyvsp[-1].literal)));
+ }
+-#line 3061 "src/parser.c"
++#line 3051 "src/parser.c"
+ break;
+
+ case 65: /* Term: FIELD '?' */
+-#line 567 "src/parser.y"
++#line 557 "src/parser.y"
+ {
+ (yyval.blk) = gen_index_opt(gen_noop(), gen_const((yyvsp[-1].literal)));
+ }
+-#line 3069 "src/parser.c"
++#line 3059 "src/parser.c"
+ break;
+
+ case 66: /* Term: Term '.' String '?' */
+-#line 570 "src/parser.y"
++#line 560 "src/parser.y"
+ {
+ (yyval.blk) = gen_index_opt((yyvsp[-3].blk), (yyvsp[-1].blk));
+ }
+-#line 3077 "src/parser.c"
++#line 3067 "src/parser.c"
+ break;
+
+ case 67: /* Term: '.' String '?' */
+-#line 573 "src/parser.y"
++#line 563 "src/parser.y"
+ {
+ (yyval.blk) = gen_index_opt(gen_noop(), (yyvsp[-1].blk));
+ }
+-#line 3085 "src/parser.c"
++#line 3075 "src/parser.c"
+ break;
+
+ case 68: /* Term: Term FIELD */
+-#line 576 "src/parser.y"
++#line 566 "src/parser.y"
+ {
+ (yyval.blk) = gen_index((yyvsp[-1].blk), gen_const((yyvsp[0].literal)));
+ }
+-#line 3093 "src/parser.c"
++#line 3083 "src/parser.c"
+ break;
+
+ case 69: /* Term: FIELD */
+-#line 579 "src/parser.y"
++#line 569 "src/parser.y"
+ {
+ (yyval.blk) = gen_index(gen_noop(), gen_const((yyvsp[0].literal)));
+ }
+-#line 3101 "src/parser.c"
++#line 3091 "src/parser.c"
+ break;
+
+ case 70: /* Term: Term '.' String */
+-#line 582 "src/parser.y"
++#line 572 "src/parser.y"
+ {
+ (yyval.blk) = gen_index((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3109 "src/parser.c"
++#line 3099 "src/parser.c"
+ break;
+
+ case 71: /* Term: '.' String */
+-#line 585 "src/parser.y"
++#line 575 "src/parser.y"
+ {
+ (yyval.blk) = gen_index(gen_noop(), (yyvsp[0].blk));
+ }
+-#line 3117 "src/parser.c"
++#line 3107 "src/parser.c"
+ break;
+
+ case 72: /* Term: '.' error */
+-#line 588 "src/parser.y"
++#line 578 "src/parser.y"
+ {
+ FAIL((yyloc), "try .[\"field\"] instead of .field for unusually named fields");
+ (yyval.blk) = gen_noop();
+ }
+-#line 3126 "src/parser.c"
++#line 3116 "src/parser.c"
+ break;
+
+ case 73: /* Term: '.' IDENT error */
+-#line 592 "src/parser.y"
++#line 582 "src/parser.y"
+ {
+ jv_free((yyvsp[-1].literal));
+ FAIL((yyloc), "try .[\"field\"] instead of .field for unusually named fields");
+ (yyval.blk) = gen_noop();
+ }
+-#line 3136 "src/parser.c"
++#line 3126 "src/parser.c"
+ break;
+
+ case 74: /* Term: Term '[' Query ']' '?' */
+-#line 598 "src/parser.y"
++#line 588 "src/parser.y"
+ {
+ (yyval.blk) = gen_index_opt((yyvsp[-4].blk), (yyvsp[-2].blk));
+ }
+-#line 3144 "src/parser.c"
++#line 3134 "src/parser.c"
+ break;
+
+ case 75: /* Term: Term '[' Query ']' */
+-#line 601 "src/parser.y"
++#line 591 "src/parser.y"
+ {
+ (yyval.blk) = gen_index((yyvsp[-3].blk), (yyvsp[-1].blk));
+ }
+-#line 3152 "src/parser.c"
++#line 3142 "src/parser.c"
+ break;
+
+ case 76: /* Term: Term '.' '[' Query ']' '?' */
+-#line 604 "src/parser.y"
++#line 594 "src/parser.y"
+ {
+ (yyval.blk) = gen_index_opt((yyvsp[-5].blk), (yyvsp[-2].blk));
+ }
+-#line 3160 "src/parser.c"
++#line 3150 "src/parser.c"
+ break;
+
+ case 77: /* Term: Term '.' '[' Query ']' */
+-#line 607 "src/parser.y"
++#line 597 "src/parser.y"
+ {
+ (yyval.blk) = gen_index((yyvsp[-4].blk), (yyvsp[-1].blk));
+ }
+-#line 3168 "src/parser.c"
++#line 3158 "src/parser.c"
+ break;
+
+ case 78: /* Term: Term '[' ']' '?' */
+-#line 610 "src/parser.y"
++#line 600 "src/parser.y"
+ {
+ (yyval.blk) = block_join((yyvsp[-3].blk), gen_op_simple(EACH_OPT));
+ }
+-#line 3176 "src/parser.c"
++#line 3166 "src/parser.c"
+ break;
+
+ case 79: /* Term: Term '[' ']' */
+-#line 613 "src/parser.y"
++#line 603 "src/parser.y"
+ {
+ (yyval.blk) = block_join((yyvsp[-2].blk), gen_op_simple(EACH));
+ }
+-#line 3184 "src/parser.c"
++#line 3174 "src/parser.c"
+ break;
+
+ case 80: /* Term: Term '.' '[' ']' '?' */
+-#line 616 "src/parser.y"
++#line 606 "src/parser.y"
+ {
+ (yyval.blk) = block_join((yyvsp[-4].blk), gen_op_simple(EACH_OPT));
+ }
+-#line 3192 "src/parser.c"
++#line 3182 "src/parser.c"
+ break;
+
+ case 81: /* Term: Term '.' '[' ']' */
+-#line 619 "src/parser.y"
++#line 609 "src/parser.y"
+ {
+ (yyval.blk) = block_join((yyvsp[-3].blk), gen_op_simple(EACH));
+ }
+-#line 3200 "src/parser.c"
++#line 3190 "src/parser.c"
+ break;
+
+ case 82: /* Term: Term '[' Query ':' Query ']' '?' */
+-#line 622 "src/parser.y"
++#line 612 "src/parser.y"
+ {
+ (yyval.blk) = gen_slice_index((yyvsp[-6].blk), (yyvsp[-4].blk), (yyvsp[-2].blk), INDEX_OPT);
+ }
+-#line 3208 "src/parser.c"
++#line 3198 "src/parser.c"
+ break;
+
+ case 83: /* Term: Term '[' Query ':' ']' '?' */
+-#line 625 "src/parser.y"
++#line 615 "src/parser.y"
+ {
+ (yyval.blk) = gen_slice_index((yyvsp[-5].blk), (yyvsp[-3].blk), gen_const(jv_null()), INDEX_OPT);
+ }
+-#line 3216 "src/parser.c"
++#line 3206 "src/parser.c"
+ break;
+
+ case 84: /* Term: Term '[' ':' Query ']' '?' */
+-#line 628 "src/parser.y"
++#line 618 "src/parser.y"
+ {
+ (yyval.blk) = gen_slice_index((yyvsp[-5].blk), gen_const(jv_null()), (yyvsp[-2].blk), INDEX_OPT);
+ }
+-#line 3224 "src/parser.c"
++#line 3214 "src/parser.c"
+ break;
+
+ case 85: /* Term: Term '[' Query ':' Query ']' */
+-#line 631 "src/parser.y"
++#line 621 "src/parser.y"
+ {
+ (yyval.blk) = gen_slice_index((yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk), INDEX);
+ }
+-#line 3232 "src/parser.c"
++#line 3222 "src/parser.c"
+ break;
+
+ case 86: /* Term: Term '[' Query ':' ']' */
+-#line 634 "src/parser.y"
++#line 624 "src/parser.y"
+ {
+ (yyval.blk) = gen_slice_index((yyvsp[-4].blk), (yyvsp[-2].blk), gen_const(jv_null()), INDEX);
+ }
+-#line 3240 "src/parser.c"
++#line 3230 "src/parser.c"
+ break;
+
+ case 87: /* Term: Term '[' ':' Query ']' */
+-#line 637 "src/parser.y"
++#line 627 "src/parser.y"
+ {
+ (yyval.blk) = gen_slice_index((yyvsp[-4].blk), gen_const(jv_null()), (yyvsp[-1].blk), INDEX);
+ }
+-#line 3248 "src/parser.c"
++#line 3238 "src/parser.c"
+ break;
+
+ case 88: /* Term: Term '?' */
+-#line 640 "src/parser.y"
++#line 630 "src/parser.y"
+ {
+ (yyval.blk) = gen_try((yyvsp[-1].blk), gen_op_simple(BACKTRACK));
+ }
+-#line 3256 "src/parser.c"
++#line 3246 "src/parser.c"
+ break;
+
+ case 89: /* Term: LITERAL */
+-#line 643 "src/parser.y"
++#line 633 "src/parser.y"
+ {
+ (yyval.blk) = gen_const((yyvsp[0].literal));
+ }
+-#line 3264 "src/parser.c"
++#line 3254 "src/parser.c"
+ break;
+
+ case 90: /* Term: String */
+-#line 646 "src/parser.y"
++#line 636 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3272 "src/parser.c"
++#line 3262 "src/parser.c"
+ break;
+
+ case 91: /* Term: FORMAT */
+-#line 649 "src/parser.y"
++#line 639 "src/parser.y"
+ {
+ (yyval.blk) = gen_format(gen_noop(), (yyvsp[0].literal));
+ }
+-#line 3280 "src/parser.c"
++#line 3270 "src/parser.c"
+ break;
+
+ case 92: /* Term: '-' Term */
+-#line 652 "src/parser.y"
++#line 642 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[0].blk), gen_call("_negate", gen_noop()));
+ }
+-#line 3288 "src/parser.c"
++#line 3278 "src/parser.c"
+ break;
+
+ case 93: /* Term: '(' Query ')' */
+-#line 655 "src/parser.y"
++#line 645 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[-1].blk);
+ }
+-#line 3296 "src/parser.c"
++#line 3286 "src/parser.c"
+ break;
+
+ case 94: /* Term: '[' Query ']' */
+-#line 658 "src/parser.y"
++#line 648 "src/parser.y"
+ {
+ (yyval.blk) = gen_collect((yyvsp[-1].blk));
+ }
+-#line 3304 "src/parser.c"
++#line 3294 "src/parser.c"
+ break;
+
+ case 95: /* Term: '[' ']' */
+-#line 661 "src/parser.y"
++#line 651 "src/parser.y"
+ {
+ (yyval.blk) = gen_const(jv_array());
+ }
+-#line 3312 "src/parser.c"
++#line 3302 "src/parser.c"
+ break;
+
+ case 96: /* Term: '{' DictPairs '}' */
+-#line 664 "src/parser.y"
++#line 654 "src/parser.y"
+ {
+ block o = gen_const_object((yyvsp[-1].blk));
+ if (o.first != NULL)
+@@ -3320,103 +3310,103 @@ YYLTYPE yylloc = yyloc_default;
+ else
+ (yyval.blk) = BLOCK(gen_subexp(gen_const(jv_object())), (yyvsp[-1].blk), gen_op_simple(POP));
+ }
+-#line 3324 "src/parser.c"
++#line 3314 "src/parser.c"
+ break;
+
+ case 97: /* Term: "reduce" Expr "as" Patterns '(' Query ';' Query ')' */
+-#line 671 "src/parser.y"
++#line 661 "src/parser.y"
+ {
+ (yyval.blk) = gen_reduce((yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk));
+ }
+-#line 3332 "src/parser.c"
++#line 3322 "src/parser.c"
+ break;
+
+ case 98: /* Term: "foreach" Expr "as" Patterns '(' Query ';' Query ';' Query ')' */
+-#line 674 "src/parser.y"
++#line 664 "src/parser.y"
+ {
+ (yyval.blk) = gen_foreach((yyvsp[-9].blk), (yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk));
+ }
+-#line 3340 "src/parser.c"
++#line 3330 "src/parser.c"
+ break;
+
+ case 99: /* Term: "foreach" Expr "as" Patterns '(' Query ';' Query ')' */
+-#line 677 "src/parser.y"
++#line 667 "src/parser.y"
+ {
+ (yyval.blk) = gen_foreach((yyvsp[-7].blk), (yyvsp[-5].blk), (yyvsp[-3].blk), (yyvsp[-1].blk), gen_noop());
+ }
+-#line 3348 "src/parser.c"
++#line 3338 "src/parser.c"
+ break;
+
+ case 100: /* Term: "if" Query "then" Query ElseBody */
+-#line 680 "src/parser.y"
++#line 670 "src/parser.y"
+ {
+ (yyval.blk) = gen_cond((yyvsp[-3].blk), (yyvsp[-1].blk), (yyvsp[0].blk));
+ }
+-#line 3356 "src/parser.c"
++#line 3346 "src/parser.c"
+ break;
+
+ case 101: /* Term: "if" Query "then" error */
+-#line 683 "src/parser.y"
++#line 673 "src/parser.y"
+ {
+ FAIL((yyloc), "Possibly unterminated 'if' statement");
+ (yyval.blk) = (yyvsp[-2].blk);
+ }
+-#line 3365 "src/parser.c"
++#line 3355 "src/parser.c"
+ break;
+
+ case 102: /* Term: "try" Expr "catch" Expr */
+-#line 687 "src/parser.y"
++#line 677 "src/parser.y"
+ {
+ (yyval.blk) = gen_try((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3373 "src/parser.c"
++#line 3363 "src/parser.c"
+ break;
+
+ case 103: /* Term: "try" Expr "catch" error */
+-#line 690 "src/parser.y"
++#line 680 "src/parser.y"
+ {
+ FAIL((yyloc), "Possibly unterminated 'try' statement");
+ (yyval.blk) = (yyvsp[-2].blk);
+ }
+-#line 3382 "src/parser.c"
++#line 3372 "src/parser.c"
+ break;
+
+ case 104: /* Term: "try" Expr */
+-#line 694 "src/parser.y"
++#line 684 "src/parser.y"
+ {
+ (yyval.blk) = gen_try((yyvsp[0].blk), gen_op_simple(BACKTRACK));
+ }
+-#line 3390 "src/parser.c"
++#line 3380 "src/parser.c"
+ break;
+
+ case 105: /* Term: '$' '$' '$' BINDING */
+-#line 712 "src/parser.y"
++#line 702 "src/parser.y"
+ {
+ (yyval.blk) = gen_location((yyloc), locations, gen_op_unbound(LOADVN, jv_string_value((yyvsp[0].literal))));
+ jv_free((yyvsp[0].literal));
+ }
+-#line 3399 "src/parser.c"
++#line 3389 "src/parser.c"
+ break;
+
+ case 106: /* Term: BINDING */
+-#line 716 "src/parser.y"
++#line 706 "src/parser.y"
+ {
+ (yyval.blk) = gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[0].literal))));
+ jv_free((yyvsp[0].literal));
+ }
+-#line 3408 "src/parser.c"
++#line 3398 "src/parser.c"
+ break;
+
+ case 107: /* Term: "$__loc__" */
+-#line 720 "src/parser.y"
++#line 710 "src/parser.y"
+ {
+ (yyval.blk) = gen_loc_object(&(yyloc), locations);
+ }
+-#line 3416 "src/parser.c"
++#line 3406 "src/parser.c"
+ break;
+
+ case 108: /* Term: IDENT */
+-#line 723 "src/parser.y"
++#line 713 "src/parser.y"
+ {
+ const char *s = jv_string_value((yyvsp[0].literal));
+ if (strcmp(s, "false") == 0)
+@@ -3429,198 +3419,198 @@ YYLTYPE yylloc = yyloc_default;
+ (yyval.blk) = gen_location((yyloc), locations, gen_call(s, gen_noop()));
+ jv_free((yyvsp[0].literal));
+ }
+-#line 3433 "src/parser.c"
++#line 3423 "src/parser.c"
+ break;
+
+ case 109: /* Term: IDENT '(' Args ')' */
+-#line 735 "src/parser.y"
++#line 725 "src/parser.y"
+ {
+ (yyval.blk) = gen_call(jv_string_value((yyvsp[-3].literal)), (yyvsp[-1].blk));
+ (yyval.blk) = gen_location((yylsp[-3]), locations, (yyval.blk));
+ jv_free((yyvsp[-3].literal));
+ }
+-#line 3443 "src/parser.c"
++#line 3433 "src/parser.c"
+ break;
+
+ case 110: /* Term: '(' error ')' */
+-#line 740 "src/parser.y"
++#line 730 "src/parser.y"
+ { (yyval.blk) = gen_noop(); }
+-#line 3449 "src/parser.c"
++#line 3439 "src/parser.c"
+ break;
+
+ case 111: /* Term: '[' error ']' */
+-#line 741 "src/parser.y"
++#line 731 "src/parser.y"
+ { (yyval.blk) = gen_noop(); }
+-#line 3455 "src/parser.c"
++#line 3445 "src/parser.c"
+ break;
+
+ case 112: /* Term: Term '[' error ']' */
+-#line 742 "src/parser.y"
++#line 732 "src/parser.y"
+ { (yyval.blk) = (yyvsp[-3].blk); }
+-#line 3461 "src/parser.c"
++#line 3451 "src/parser.c"
+ break;
+
+ case 113: /* Term: '{' error '}' */
+-#line 743 "src/parser.y"
++#line 733 "src/parser.y"
+ { (yyval.blk) = gen_noop(); }
+-#line 3467 "src/parser.c"
++#line 3457 "src/parser.c"
+ break;
+
+ case 114: /* Args: Arg */
+-#line 746 "src/parser.y"
++#line 736 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3475 "src/parser.c"
++#line 3465 "src/parser.c"
+ break;
+
+ case 115: /* Args: Args ';' Arg */
+-#line 749 "src/parser.y"
++#line 739 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3483 "src/parser.c"
++#line 3473 "src/parser.c"
+ break;
+
+ case 116: /* Arg: Query */
+-#line 754 "src/parser.y"
++#line 744 "src/parser.y"
+ {
+ (yyval.blk) = gen_lambda((yyvsp[0].blk));
+ }
+-#line 3491 "src/parser.c"
++#line 3481 "src/parser.c"
+ break;
+
+ case 117: /* RepPatterns: RepPatterns "?//" Pattern */
+-#line 759 "src/parser.y"
++#line 749 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-2].blk), gen_destructure_alt((yyvsp[0].blk)));
+ }
+-#line 3499 "src/parser.c"
++#line 3489 "src/parser.c"
+ break;
+
+ case 118: /* RepPatterns: Pattern */
+-#line 762 "src/parser.y"
++#line 752 "src/parser.y"
+ {
+ (yyval.blk) = gen_destructure_alt((yyvsp[0].blk));
+ }
+-#line 3507 "src/parser.c"
++#line 3497 "src/parser.c"
+ break;
+
+ case 119: /* Patterns: RepPatterns "?//" Pattern */
+-#line 767 "src/parser.y"
++#line 757 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3515 "src/parser.c"
++#line 3505 "src/parser.c"
+ break;
+
+ case 120: /* Patterns: Pattern */
+-#line 770 "src/parser.y"
++#line 760 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3523 "src/parser.c"
++#line 3513 "src/parser.c"
+ break;
+
+ case 121: /* Pattern: BINDING */
+-#line 775 "src/parser.y"
++#line 765 "src/parser.y"
+ {
+ (yyval.blk) = gen_op_unbound(STOREV, jv_string_value((yyvsp[0].literal)));
+ jv_free((yyvsp[0].literal));
+ }
+-#line 3532 "src/parser.c"
++#line 3522 "src/parser.c"
+ break;
+
+ case 122: /* Pattern: '[' ArrayPats ']' */
+-#line 779 "src/parser.y"
++#line 769 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-1].blk), gen_op_simple(POP));
+ }
+-#line 3540 "src/parser.c"
++#line 3530 "src/parser.c"
+ break;
+
+ case 123: /* Pattern: '{' ObjPats '}' */
+-#line 782 "src/parser.y"
++#line 772 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-1].blk), gen_op_simple(POP));
+ }
+-#line 3548 "src/parser.c"
++#line 3538 "src/parser.c"
+ break;
+
+ case 124: /* ArrayPats: Pattern */
+-#line 787 "src/parser.y"
++#line 777 "src/parser.y"
+ {
+ (yyval.blk) = gen_array_matcher(gen_noop(), (yyvsp[0].blk));
+ }
+-#line 3556 "src/parser.c"
++#line 3546 "src/parser.c"
+ break;
+
+ case 125: /* ArrayPats: ArrayPats ',' Pattern */
+-#line 790 "src/parser.y"
++#line 780 "src/parser.y"
+ {
+ (yyval.blk) = gen_array_matcher((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3564 "src/parser.c"
++#line 3554 "src/parser.c"
+ break;
+
+ case 126: /* ObjPats: ObjPat */
+-#line 795 "src/parser.y"
++#line 785 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3572 "src/parser.c"
++#line 3562 "src/parser.c"
+ break;
+
+ case 127: /* ObjPats: ObjPats ',' ObjPat */
+-#line 798 "src/parser.y"
++#line 788 "src/parser.y"
+ {
+ (yyval.blk) = BLOCK((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3580 "src/parser.c"
++#line 3570 "src/parser.c"
+ break;
+
+ case 128: /* ObjPat: BINDING */
+-#line 803 "src/parser.y"
++#line 793 "src/parser.y"
+ {
+ (yyval.blk) = gen_object_matcher(gen_const((yyvsp[0].literal)), gen_op_unbound(STOREV, jv_string_value((yyvsp[0].literal))));
+ }
+-#line 3588 "src/parser.c"
++#line 3578 "src/parser.c"
+ break;
+
+ case 129: /* ObjPat: BINDING ':' Pattern */
+-#line 806 "src/parser.y"
++#line 796 "src/parser.y"
+ {
+ (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), BLOCK(gen_op_simple(DUP), gen_op_unbound(STOREV, jv_string_value((yyvsp[-2].literal))), (yyvsp[0].blk)));
+ }
+-#line 3596 "src/parser.c"
++#line 3586 "src/parser.c"
+ break;
+
+ case 130: /* ObjPat: IDENT ':' Pattern */
+-#line 809 "src/parser.y"
++#line 799 "src/parser.y"
+ {
+ (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk));
+ }
+-#line 3604 "src/parser.c"
++#line 3594 "src/parser.c"
+ break;
+
+ case 131: /* ObjPat: Keyword ':' Pattern */
+-#line 812 "src/parser.y"
++#line 802 "src/parser.y"
+ {
+ (yyval.blk) = gen_object_matcher(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk));
+ }
+-#line 3612 "src/parser.c"
++#line 3602 "src/parser.c"
+ break;
+
+ case 132: /* ObjPat: String ':' Pattern */
+-#line 815 "src/parser.y"
++#line 805 "src/parser.y"
+ {
+ (yyval.blk) = gen_object_matcher((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3620 "src/parser.c"
++#line 3610 "src/parser.c"
+ break;
+
+ case 133: /* ObjPat: '(' Query ')' ':' Pattern */
+-#line 818 "src/parser.y"
++#line 808 "src/parser.y"
+ {
+ jv msg = check_object_key((yyvsp[-3].blk));
+ if (jv_is_valid(msg)) {
+@@ -3629,267 +3619,267 @@ YYLTYPE yylloc = yyloc_default;
+ jv_free(msg);
+ (yyval.blk) = gen_object_matcher((yyvsp[-3].blk), (yyvsp[0].blk));
+ }
+-#line 3633 "src/parser.c"
++#line 3623 "src/parser.c"
+ break;
+
+ case 134: /* ObjPat: error ':' Pattern */
+-#line 826 "src/parser.y"
++#line 816 "src/parser.y"
+ {
+ FAIL((yyloc), "May need parentheses around object key expression");
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3642 "src/parser.c"
++#line 3632 "src/parser.c"
+ break;
+
+ case 135: /* Keyword: "as" */
+-#line 832 "src/parser.y"
++#line 822 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("as");
+ }
+-#line 3650 "src/parser.c"
++#line 3640 "src/parser.c"
+ break;
+
+ case 136: /* Keyword: "def" */
+-#line 835 "src/parser.y"
++#line 825 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("def");
+ }
+-#line 3658 "src/parser.c"
++#line 3648 "src/parser.c"
+ break;
+
+ case 137: /* Keyword: "module" */
+-#line 838 "src/parser.y"
++#line 828 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("module");
+ }
+-#line 3666 "src/parser.c"
++#line 3656 "src/parser.c"
+ break;
+
+ case 138: /* Keyword: "import" */
+-#line 841 "src/parser.y"
++#line 831 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("import");
+ }
+-#line 3674 "src/parser.c"
++#line 3664 "src/parser.c"
+ break;
+
+ case 139: /* Keyword: "include" */
+-#line 844 "src/parser.y"
++#line 834 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("include");
+ }
+-#line 3682 "src/parser.c"
++#line 3672 "src/parser.c"
+ break;
+
+ case 140: /* Keyword: "if" */
+-#line 847 "src/parser.y"
++#line 837 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("if");
+ }
+-#line 3690 "src/parser.c"
++#line 3680 "src/parser.c"
+ break;
+
+ case 141: /* Keyword: "then" */
+-#line 850 "src/parser.y"
++#line 840 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("then");
+ }
+-#line 3698 "src/parser.c"
++#line 3688 "src/parser.c"
+ break;
+
+ case 142: /* Keyword: "else" */
+-#line 853 "src/parser.y"
++#line 843 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("else");
+ }
+-#line 3706 "src/parser.c"
++#line 3696 "src/parser.c"
+ break;
+
+ case 143: /* Keyword: "elif" */
+-#line 856 "src/parser.y"
++#line 846 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("elif");
+ }
+-#line 3714 "src/parser.c"
++#line 3704 "src/parser.c"
+ break;
+
+ case 144: /* Keyword: "reduce" */
+-#line 859 "src/parser.y"
++#line 849 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("reduce");
+ }
+-#line 3722 "src/parser.c"
++#line 3712 "src/parser.c"
+ break;
+
+ case 145: /* Keyword: "foreach" */
+-#line 862 "src/parser.y"
++#line 852 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("foreach");
+ }
+-#line 3730 "src/parser.c"
++#line 3720 "src/parser.c"
+ break;
+
+ case 146: /* Keyword: "end" */
+-#line 865 "src/parser.y"
++#line 855 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("end");
+ }
+-#line 3738 "src/parser.c"
++#line 3728 "src/parser.c"
+ break;
+
+ case 147: /* Keyword: "and" */
+-#line 868 "src/parser.y"
++#line 858 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("and");
+ }
+-#line 3746 "src/parser.c"
++#line 3736 "src/parser.c"
+ break;
+
+ case 148: /* Keyword: "or" */
+-#line 871 "src/parser.y"
++#line 861 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("or");
+ }
+-#line 3754 "src/parser.c"
++#line 3744 "src/parser.c"
+ break;
+
+ case 149: /* Keyword: "try" */
+-#line 874 "src/parser.y"
++#line 864 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("try");
+ }
+-#line 3762 "src/parser.c"
++#line 3752 "src/parser.c"
+ break;
+
+ case 150: /* Keyword: "catch" */
+-#line 877 "src/parser.y"
++#line 867 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("catch");
+ }
+-#line 3770 "src/parser.c"
++#line 3760 "src/parser.c"
+ break;
+
+ case 151: /* Keyword: "label" */
+-#line 880 "src/parser.y"
++#line 870 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("label");
+ }
+-#line 3778 "src/parser.c"
++#line 3768 "src/parser.c"
+ break;
+
+ case 152: /* Keyword: "break" */
+-#line 883 "src/parser.y"
++#line 873 "src/parser.y"
+ {
+ (yyval.literal) = jv_string("break");
+ }
+-#line 3786 "src/parser.c"
++#line 3776 "src/parser.c"
+ break;
+
+ case 153: /* DictPairs: %empty */
+-#line 889 "src/parser.y"
++#line 879 "src/parser.y"
+ {
+ (yyval.blk) = gen_noop();
+ }
+-#line 3794 "src/parser.c"
++#line 3784 "src/parser.c"
+ break;
+
+ case 154: /* DictPairs: DictPair */
+-#line 892 "src/parser.y"
++#line 882 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3802 "src/parser.c"
++#line 3792 "src/parser.c"
+ break;
+
+ case 155: /* DictPairs: DictPair ',' DictPairs */
+-#line 895 "src/parser.y"
++#line 885 "src/parser.y"
+ {
+ (yyval.blk) = block_join((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3810 "src/parser.c"
++#line 3800 "src/parser.c"
+ break;
+
+ case 156: /* DictPair: IDENT ':' DictExpr */
+-#line 900 "src/parser.y"
++#line 890 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk));
+ }
+-#line 3818 "src/parser.c"
++#line 3808 "src/parser.c"
+ break;
+
+ case 157: /* DictPair: Keyword ':' DictExpr */
+-#line 903 "src/parser.y"
++#line 893 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_const((yyvsp[-2].literal)), (yyvsp[0].blk));
+ }
+-#line 3826 "src/parser.c"
++#line 3816 "src/parser.c"
+ break;
+
+ case 158: /* DictPair: String ':' DictExpr */
+-#line 906 "src/parser.y"
++#line 896 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3834 "src/parser.c"
++#line 3824 "src/parser.c"
+ break;
+
+ case 159: /* DictPair: String */
+-#line 909 "src/parser.y"
++#line 899 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair((yyvsp[0].blk), BLOCK(gen_op_simple(POP), gen_op_simple(DUP2),
+ gen_op_simple(DUP2), gen_op_simple(INDEX)));
+ }
+-#line 3843 "src/parser.c"
++#line 3833 "src/parser.c"
+ break;
+
+ case 160: /* DictPair: BINDING ':' DictExpr */
+-#line 913 "src/parser.y"
++#line 903 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[-2].literal)))),
+ (yyvsp[0].blk));
+ jv_free((yyvsp[-2].literal));
+ }
+-#line 3853 "src/parser.c"
++#line 3843 "src/parser.c"
+ break;
+
+ case 161: /* DictPair: BINDING */
+-#line 918 "src/parser.y"
++#line 908 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_const((yyvsp[0].literal)),
+ gen_location((yyloc), locations, gen_op_unbound(LOADV, jv_string_value((yyvsp[0].literal)))));
+ }
+-#line 3862 "src/parser.c"
++#line 3852 "src/parser.c"
+ break;
+
+ case 162: /* DictPair: IDENT */
+-#line 922 "src/parser.y"
++#line 912 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_const(jv_copy((yyvsp[0].literal))),
+ gen_index(gen_noop(), gen_const((yyvsp[0].literal))));
+ }
+-#line 3871 "src/parser.c"
++#line 3861 "src/parser.c"
+ break;
+
+ case 163: /* DictPair: "$__loc__" */
+-#line 926 "src/parser.y"
++#line 916 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_const(jv_string("__loc__")),
+ gen_loc_object(&(yyloc), locations));
+ }
+-#line 3880 "src/parser.c"
++#line 3870 "src/parser.c"
+ break;
+
+ case 164: /* DictPair: Keyword */
+-#line 930 "src/parser.y"
++#line 920 "src/parser.y"
+ {
+ (yyval.blk) = gen_dictpair(gen_const(jv_copy((yyvsp[0].literal))),
+ gen_index(gen_noop(), gen_const((yyvsp[0].literal))));
+ }
+-#line 3889 "src/parser.c"
++#line 3879 "src/parser.c"
+ break;
+
+ case 165: /* DictPair: '(' Query ')' ':' DictExpr */
+-#line 934 "src/parser.y"
++#line 924 "src/parser.y"
+ {
+ jv msg = check_object_key((yyvsp[-3].blk));
+ if (jv_is_valid(msg)) {
+@@ -3898,36 +3888,36 @@ YYLTYPE yylloc = yyloc_default;
+ jv_free(msg);
+ (yyval.blk) = gen_dictpair((yyvsp[-3].blk), (yyvsp[0].blk));
+ }
+-#line 3902 "src/parser.c"
++#line 3892 "src/parser.c"
+ break;
+
+ case 166: /* DictPair: error ':' DictExpr */
+-#line 942 "src/parser.y"
++#line 932 "src/parser.y"
+ {
+ FAIL((yylsp[-2]), "May need parentheses around object key expression");
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3911 "src/parser.c"
++#line 3901 "src/parser.c"
+ break;
+
+ case 167: /* DictExpr: DictExpr '|' DictExpr */
+-#line 948 "src/parser.y"
++#line 938 "src/parser.y"
+ {
+ (yyval.blk) = block_join((yyvsp[-2].blk), (yyvsp[0].blk));
+ }
+-#line 3919 "src/parser.c"
++#line 3909 "src/parser.c"
+ break;
+
+ case 168: /* DictExpr: Expr */
+-#line 951 "src/parser.y"
++#line 941 "src/parser.y"
+ {
+ (yyval.blk) = (yyvsp[0].blk);
+ }
+-#line 3927 "src/parser.c"
++#line 3917 "src/parser.c"
+ break;
+
+
+-#line 3931 "src/parser.c"
++#line 3921 "src/parser.c"
+
+ default: break;
+ }
+@@ -4156,7 +4146,7 @@ YYLTYPE yylloc = yyloc_default;
+ return yyresult;
+ }
+
+-#line 954 "src/parser.y"
++#line 944 "src/parser.y"
+
+
+ int jq_parse(struct locfile* locations, block* answer) {
+diff --git a/src/parser.y b/src/parser.y
+index 987a4ecaa3..ecd5796561 100644
+--- a/src/parser.y
++++ b/src/parser.y
+@@ -439,26 +439,16 @@ ImportWhat Query ';' {
+
+ ImportWhat:
+ "import" ImportFrom "as" BINDING {
+- jv v = block_const($2);
+- // XXX Make gen_import take only blocks and the int is_data so we
+- // don't have to free so much stuff here
+- $$ = gen_import(jv_string_value(v), jv_string_value($4), 1);
++ $$ = gen_import(block_const($2), $4, 1);
+ block_free($2);
+- jv_free($4);
+- jv_free(v);
+ } |
+ "import" ImportFrom "as" IDENT {
+- jv v = block_const($2);
+- $$ = gen_import(jv_string_value(v), jv_string_value($4), 0);
++ $$ = gen_import(block_const($2), $4, 0);
+ block_free($2);
+- jv_free($4);
+- jv_free(v);
+ } |
+ "include" ImportFrom {
+- jv v = block_const($2);
+- $$ = gen_import(jv_string_value(v), NULL, 0);
++ $$ = gen_import(block_const($2), jv_invalid(), 0);
+ block_free($2);
+- jv_free(v);
+ }
+
+ ImportFrom:
+diff --git a/tests/shtest b/tests/shtest
+index 68705df255..fa972de870 100755
+--- a/tests/shtest
++++ b/tests/shtest
+@@ -893,4 +893,21 @@ if echo '42' | $JQ -f "$d/nul_prog.jq" >/dev/null 2>/dev/null; then
+ exit 1
+ fi
+
++# CVE-2026-43895: No NUL bytes in module/data import paths
++printf 'import "a\\u0000b" as $x; .' > "$d/nul_import.jq"
++if $JQ -nf "$d/nul_import.jq" >/dev/null 2>/dev/null; then
++ printf 'Error expected for import path with NUL bytes\n' 1>&2
++ exit 1
++fi
++printf 'include "a\\u0000b"; .' > "$d/nul_include.jq"
++if $JQ -nf "$d/nul_include.jq" >/dev/null 2>/dev/null; then
++ printf 'Error expected for include path with NUL bytes\n' 1>&2
++ exit 1
++fi
++printf '"a\\u0000b" | modulemeta' > "$d/nul_modulemeta.jq"
++if $JQ -nf "$d/nul_modulemeta.jq" >/dev/null 2>/dev/null; then
++ printf 'Error expected for modulemeta with NUL bytes\n' 1>&2
++ exit 1
++fi
++
+ exit 0
diff --git a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
index 0e3e22c65b..c32efc5b88 100644
--- a/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
+++ b/meta-oe/recipes-devtools/jq/jq_1.8.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/jqlang/jq.git;protocol=https;branch=master;tag=jq-${
file://CVE-2026-41256.patch \
file://CVE-2026-41257.patch \
file://CVE-2026-43894.patch \
+ file://CVE-2026-43895.patch \
file://CVE-2026-43896.patch \
file://CVE-2026-44777.patch \
file://CVE-2026-49389.patch \
--
2.43.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2026-06-16 7:13 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-16 6:27 [PATCHv2 1/8] jq: patch CVE-2026-49839 Anton Skorup
2026-06-16 6:27 ` [PATCH 2/8] jq: patch CVE-2026-41256 Anton Skorup
2026-06-16 6:27 ` [PATCH 3/8] jq: patch CVE-2026-44777 Anton Skorup
2026-06-16 6:27 ` [PATCH 4/8] jq: patch CVE-2026-43896 Anton Skorup
2026-06-16 6:27 ` [PATCH 5/8] jq: patch CVE-2026-41257 Anton Skorup
2026-06-16 6:27 ` [PATCH 6/8] jq: patch CVE-2026-40612 Anton Skorup
2026-06-16 6:27 ` [PATCH 7/8] jq: patch CVE-2026-43894 Anton Skorup
2026-06-16 6:27 ` [PATCH 8/8] jq: patch CVE-2026-43895 Anton Skorup
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.