valgrind error in _cjose_jws_verify_sig_rs

[rdwr-vitalyk]

i get a valgrind error :
==9613== Invalid read of size 8
==9613== at 0x611A566: __strcmp_sse42 (strcmp-sse42.S:163)
==9613== by 0x23505FC: _cjose_jws_verify_sig_rs (jws.c:958)

can you please advice? i use cjose-0.6.2.3 , jansson-2.14
the program is simple:

``
#include <stdio.h>
#include <string.h>
#include <cjose/cjose.h>

const char *jwt_str = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjJrcnBxU01yTHdYY2JVOURvTEpOYyJ9.eyJuaWNrbmFtZSI6InVzZXIxIiwibmFtZSI6InVzZXIxQGV4YW1wbGUuY29tIiwicGljdHVyZSI6Imh0dHBzOi8vcy5ncmF2YXRhci5jb20vYXZhdGFyLzExMWQ2OGQwNmUyZDMxN2I1YTU5YzJjNmM1YmFkODA4P3M9NDgwJnI9cGcmZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGdXMucG5nIiwidXBkYXRlZF9hdCI6IjIwMjUtMDQtMDNUMjI6NDc6MjMuMTQ4WiIsImVtYWlsIjoidXNlcjFAZXhhbXBsZS5jb20iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImlzcyI6Imh0dHBzOi8vZGV2LXlyN25mdWlmaDJ6aGR1YmoudXMuYXV0aDAuY29tLyIsImF1ZCI6IkpmNndyN1VKRzBoUmxPZHpTdE1paTVjOU9FU1cwNWxDIiwic3ViIjoiYXV0aDB8NjYxMWIyZjZhMDA5ZGJiN2I5MGU4ZjVhIiwiaWF0IjoxNzQzNzIwNDQ0LCJleHAiOjE3NDM3NTY0NDQsInNpZCI6IlN1QkhIbnhRSkVfLXRVd2loZ3AxeVIyS2ZvUmJmWi14In0.LidvXEf8V6Jq08oBPJo7RvBu9sgLqhULhVzWiBuUUEkgJy0McxbZSywGs43TiEccQPWwwf3Ye0yS-NS_B2C35KQ93QNqFSgsn-YDa_4DNX0ENm7mTqf1XXervOt1StD-w7uV3tJypNfPAXL2qLYnFLkk3Ok_bH_80b6SmjfynjvQ0B8q8sxx8cXGrIFW9gST8SwbOyOdGKEtZp2FagC2mK5pBbsqFeAV_tAlyaycEnNRm4ODdakzFTONdyc9Ir6o_VQ4VydOcNqzG_w26rLye6FW_XBZgyF5uro7YEd8jpvH7oW0EU08bi3Qr9OyDK50fsMxRMQujCIVSre9AKRicA";
;

const char *jwk_json = R"(
{"kty":"RSA","use":"sig","n":"6tTT0Es5d020XcO8acTlxW4RrQ-yyFYK0ru2v96rznag7AOxsXkYBXtbWcxGsJmklaqRg1ibBzXfySsGCitQ_7BLcWIAVTavfdZytryZqyopXeD1fW6UswCVHMcZ0o1P4U382mgw17CqurReELPnHGpFEMa7lxzOn48R3v2qaEpLgqZPSZ82-CehI5TUVvfZkwfvx3WF-GGB9U9c2xj73s80PKTfrZ7VNAGEtXySaA9vlzXdkGTHzNZBKFD_1hLiQ8_9VT7uyO6deNqAuItRk68UDFHrqD_Zc1abDQy2bv_pjsdsKHCPHvkFfhg0GuHmo0wpYj4bW2LRH25rAUpa1Q","e":"AQAB","kid":"2krpqSMrLwXcbU9DoLJNc","x5t":"Zqzqk4jhHDNmVXVFTZ0TgkKKX0Q","x5c":["MIIDHTCCAgWgAwIBAgIJHLVa71EFy/coMA0GCSqGSIb3DQEBCwUAMCwxKjAoBgNVBAMTIWRldi15cjduZnVpZmgyemhkdWJqLnVzLmF1dGgwLmNvbTAeFw0yNDA0MDIxMDE0MTlaFw0zNzEyMTAxMDE0MTlaMCwxKjAoBgNVBAMTIWRldi15cjduZnVpZmgyemhkdWJqLnVzLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOrU09BLOXdNtF3DvGnE5cVuEa0PsshWCtK7tr/eq852oOwDsbF5GAV7W1nMRrCZpJWqkYNYmwc138krBgorUP+wS3FiAFU2r33Wcra8masqKV3g9X1ulLMAlRzHGdKNT+FN/NpoMNewqrq0XhCz5xxqRRDGu5cczp+PEd79qmhKS4KmT0mfNvgnoSOU1Fb32ZMH78d1hfhhgfVPXNsY+97PNDyk362e1TQBhLV8kmgPb5c13ZBkx8zWQShQ/9YS4kPP/VU+7sjunXjagLiLUZOvFAxR66g/2XNWmw0Mtm7/6Y7HbChwjx75BX4YNBrh5qNMKWI+G1ti0R9uawFKWtUCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUus//Ex4MbOLS6c1TzdZl385jYbQwDgYDVR0PAQH/BAQDAgKEMA0GCSqGSIb3DQEBCwUAA4IBAQByej/jMqE0ggiP7RKJQDak45h7hBc6XpuRgBWU2OqUMH2L+S8wCtCxt11Ogu7NeFjzOXfSLvjVfW2NksMi3Ux9IzYp/+ubwX7NWNAJsuj0OcWAYWUpafFOlKcWhrwkjwzMksXz8qDN3qm5tgfj5dshgqlZNYRMgtBjUw12ackF4hmfz9hEhKGeKLKZ/RzqphHInaHN7U38/zX1xMgvzkAYkTk15FNluCA3x7qFqFJivu/YKHs/yAaSF4biFwdu6IlbBwUbFaSW1VL6NqyHrdTgUi6h4AkqC5XJ13ZHj0IDdTxQKhNHgFPuKNvbr/oj5F9RGRLbZFGg5FCRVe4qjXo0"],"alg":"RS256"})";
;
int main()
{
cjose_err err;
cjose_jwk_t *jwk = cjose_jwk_import(jwk_json, strlen(jwk_json), &err);
if (!jwk) {
fprintf(stderr, "Failed to import JWK: %s\n", err.message);
return 1;
}

cjose_jws_t *jws = cjose_jws_import(jwt_str, strlen(jwt_str), &err);
if (!jws) {
    fprintf(stderr, "Failed to parse JWT: %s\n", err.message);
    return 1;
}

if (!cjose_jws_verify(jws, jwk, &err)) {
    fprintf(stderr, "JWT signature verification failed: %s\n", err.message);
    return 1;
}


uint8_t *payload_raw;
size_t payload_len;
cjose_err err1;
if (!cjose_jws_get_plaintext(jws, &payload_raw, &payload_len, &err1)) {
    fprintf(stderr, "Failed to get JWT payload: %s\n", err.message);
    return 1;
}

if (!payload_raw) {
    fprintf(stderr, "Failed to get JWT payload\n");
    return 1;
}

printf("Verified payload: %.*s\n", (int)payload_len, payload_raw);

printf("Verified payload\n");
cjose_jws_release(jws);
cjose_jwk_release(jwk);

return 0;

}

``

[zandbelt]

I'm not able to reproduce this on Ubuntu Noble with cjose v0.6.2.3 (nor stock 0.6.2.2-1build3 or v0.6.2.4):

root@1665a4dc5394:~# valgrind --leak-check=full --trace-children=yes --show-leak-kinds=definite --read-inline-info=yes --keep-debuginfo=yes -s ./issue130
==5479== Memcheck, a memory error detector
==5479== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==5479== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==5479== Command: ./issue130
==5479== 
Verified payload: {"nickname":"user1","name":"user1@example.com","picture":"https://s.gravatar.com/avatar/111d68d06e2d317b5a59c2c6c5bad808?s=480&r=pg&d=https%3A%2F%2Fcdn.auth0.com%2Favatars%2Fus.png","updated_at":"2025-04-03T22:47:23.148Z","email":"user1@example.com","email_verified":false,"iss":"https://dev-yr7nfuifh2zhdubj.us.auth0.com/","aud":"Jf6wr7UJG0hRlOdzStMii5c9OESW05lC","sub":"auth0|6611b2f6a009dbb7b90e8f5a","iat":1743720444,"exp":1743756444,"sid":"SuBHHnxQJE_-tUwihgp1yR2KfoRbfZ-x"}
Verified payload
==5479== 
==5479== HEAP SUMMARY:
==5479==     in use at exit: 0 bytes in 0 blocks
==5479==   total heap usage: 5,004 allocs, 5,004 frees, 214,709 bytes allocated
==5479== 
==5479== All heap blocks were freed -- no leaks are possible
==5479== 
==5479== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)