diff options
| author | Fabrice Bellard <fabrice@bellard.org> | 2025-04-07 18:40:49 +0200 |
|---|---|---|
| committer | Fabrice Bellard <fabrice@bellard.org> | 2025-04-07 18:40:49 +0200 |
| commit | 1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a (patch) | |
| tree | 0290a0293ea814b84af6e956d1ec007b632e2690 | |
| parent | a151ce19e5aa684c4c70346fd45f27cc9cdbef93 (diff) | |
| download | quickjs-1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a.tar.gz quickjs-1eb05e44fad89daafa8ee3eb74b8520b4a37ec9a.zip | |
fixed buffer overflow in BJSON String and BigInt reader (#399)
| -rw-r--r-- | quickjs.c | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -35564,6 +35564,10 @@ static JSString *JS_ReadString(BCReaderState *s) return NULL; is_wide_char = len & 1; len >>= 1; + if (len > JS_STRING_LEN_MAX) { + JS_ThrowInternalError(s->ctx, "string too long"); + return NULL; + } p = js_alloc_string(s->ctx, len, is_wide_char); if (!p) { s->error_state = -1; @@ -35675,8 +35679,7 @@ static JSValue JS_ReadBigInt(BCReaderState *s) bc_read_trace(s, "}\n"); return __JS_NewShortBigInt(s->ctx, 0); } - p = js_bigint_new(s->ctx, - (len + (JS_LIMB_BITS / 8) - 1) / (JS_LIMB_BITS / 8)); + p = js_bigint_new(s->ctx, (len - 1) / (JS_LIMB_BITS / 8) + 1); if (!p) goto fail; for(i = 0; i < len / (JS_LIMB_BITS / 8); i++) { |