Fix json offset

[JonathanBerrew]

what

Addition custom YAJL memory allocators: yajl_fmalloc and yajl_ffree.
These allocators use APR pool memory (apr_palloc), instead of YAJL's default malloc/free.
base_offset is now copied into the APR pool, not used as a direct pointer to the input buffer

why

1. Prevents use-after-free vulnerabilities
   The original version stores offsets pointing directly into the buffer delivered by ModSecurity (stack or temporary memory). If YAJL internally modifies or frees memory, the parser may reference invalid memory.
2. Guarantees buffer lifetime safety
   Copying the buffer into APR’s pool ensures memory remains valid for the duration of the transaction.
3. Improves multi-thread safety and memory consistency
   Using APR memory everywhere ensures that all buffers follow ModSecurity’s allocation model.

example of issue

On a Windows, sending a request with the following json:
"content":"<p>blabla, ...Otherwise, click <em>Register</em>.</p>","postCategory":
And receiving
"content":"<p>blabla, ...Otherwise, click <em>Register</em>.</p> egister</em>.</p>","postCategory":

Full log:

--23480000-A--
[31/Mar/2026:11:50:57.544518 +0000] acu1ISxAURah8k0tBfZdoAAAALM x.x.x.x 49424 x.x.x.x 443
--23480000-B--
POST /test HTTP/1.1
Content-Type: application/json
Host: myhost
Content-Length: 271
Expect: 100-continue
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) PowerShellScript/1.0

--23480000-C--
{
    "postCategory":  "general",
    "content":  "<p>blabla, ...Otherwise, click <em>Register</em>.</p> eRegister\u003c/em\u003e.\u003c/p\u003e",
    "postTitle":  "Welcome to my Home Page",
    "postDate":  "2023-04-01T12:00:00Z",
    "postAuthor":  "test"
}
--23480000-F--
HTTP/1.1 200 OK
X-Unique-id: -/-/20260331115057/acu1ISxAURah8k0tBfZdoAAAALM/-/20260226/-/191209
Strict-Transport-Security: max-age=31536000; includeSubDomains
content-length: 3
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
X-Robots-Tag: noindex
Cache-Control: must-revalidate, max-age=0, no-cache, no-store
Pragma: no-cache
Expires: 0
Reporting-Endpoints: coop=/!report/coop, csp=/!report/csp, default=/!report/default
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: report-to csp;report-uri /!report/csp;default-src 'self' blob:;script-src 'self' blob: 'report-sample';connect-src 'self' blob:;frame-ancestors 'self' blob:;frame-src 'self' blob: javascript:;img-src * data: blob:;font-src * data: blob:;media-src * data: blob:;form-action 'self' blob:;upgrade-insecure-requests;style-src 'unsafe-inline' 'self' blob:
Set-Cookie: _acl=YWRtaW56bm8=;Path=/nso/;httponly;secure;SameSite=none

--23480000-H--
WebApp-Info: "myhost" "-" "-"
Sensor-Id: "myhost/-/- (20260226)"
Engine-Mode: "ENABLED"

--23480000-Z--

(This was a Marc Stern modification)

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud