jq: integer overflow in jv_string_concat triggers heap buffer overflow on large strings

jq's jv_string_concat (called by the + operator on strings and by add over an array of strings) computes the size of the destination buffer using a 32-bit int/uint32_t arithmetic. When the sum of the two input string lengths exceeds 2^31 bytes, the size computation wraps around, allocating a heap buffer much smaller than what's about to be written. The subsequent memcpy writes past the buffer, corrupting adjacent heap data — a classic CWE-190 → CWE-122 chain.

Any service that runs jq filters on attacker-controlled input (the common pattern in CI pipelines, log shippers, observability stacks, k8s admission webhooks, etc.) is exposed. The attacker only needs the ability to deliver ~2 GB of JSON string content to a jq invocation that concatenates it; on systems with sufficient memory the overflow is reachable and reproducible.