mirrors/quickjs
1
0
Fork 0
mirror of https://github.com/bellard/quickjs.git synced 2025-05-16 02:55:10 +08:00
Code Issues Packages Projects Releases Wiki Activity

fixed buffer overflow in BJSON String and BigInt reader (#399)

Browse Source
This commit is contained in:
Fabrice Bellard 2025-04-07 18:40:49 +02:00
parent a151ce19e5
commit 1eb05e44fa
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
quickjs.c
View File

@ -35564,6 +35564,10 @@ static JSString *JS_ReadString(BCReaderState *s)
return NULL; return NULL;
is_wide_char = len & 1; is_wide_char = len & 1;
len >>= 1; len >>= 1;
if (len > JS_STRING_LEN_MAX) {
JS_ThrowInternalError(s->ctx, "string too long");
return NULL;
}
p = js_alloc_string(s->ctx, len, is_wide_char); p = js_alloc_string(s->ctx, len, is_wide_char);
if (!p) { if (!p) {
s->error_state = -1; s->error_state = -1;
@ -35675,8 +35679,7 @@ static JSValue JS_ReadBigInt(BCReaderState *s)
bc_read_trace(s, "}\n"); bc_read_trace(s, "}\n");
return __JS_NewShortBigInt(s->ctx, 0); return __JS_NewShortBigInt(s->ctx, 0);
} }
p = js_bigint_new(s->ctx, p = js_bigint_new(s->ctx, (len - 1) / (JS_LIMB_BITS / 8) + 1);
(len + (JS_LIMB_BITS / 8) - 1) / (JS_LIMB_BITS / 8));
if (!p) if (!p)
goto fail; goto fail;
for(i = 0; i < len / (JS_LIMB_BITS / 8); i++) { for(i = 0; i < len / (JS_LIMB_BITS / 8); i++) {