From: Fabrice Bellard Date: Mon, 25 Aug 2025 13:06:19 +0000 (+0200) Subject: fixed buffer overflow in js_bigint_to_string1() X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=9ce544289fe86acdb8fb33e6a425da151438be05;p=quickjs.git fixed buffer overflow in js_bigint_to_string1() --- diff --git a/quickjs.c b/quickjs.c index 29fd830..994f032 100644 --- a/quickjs.c +++ b/quickjs.c @@ -11997,11 +11997,10 @@ static JSValue js_bigint_to_string1(JSContext *ctx, JSValueConst val, int radix) bit_pos = i * log2_radix; pos = bit_pos / JS_LIMB_BITS; shift = bit_pos % JS_LIMB_BITS; - if (likely((shift + log2_radix) <= JS_LIMB_BITS)) { - c = r->tab[pos] >> shift; - } else { - c = (r->tab[pos] >> shift) | - (r->tab[pos + 1] << (JS_LIMB_BITS - shift)); + c = r->tab[pos] >> shift; + if ((shift + log2_radix) > JS_LIMB_BITS && + (pos + 1) < r->len) { + c |= r->tab[pos + 1] << (JS_LIMB_BITS - shift); } c &= (radix - 1); *--q = digits[c];