]> git.kaiwu.me - quickjs.git/commitdiff
fixed buffer overflow in js_bigint_to_string1()
authorFabrice Bellard <fabrice@bellard.org>
Mon, 25 Aug 2025 13:06:19 +0000 (15:06 +0200)
committerFabrice Bellard <fabrice@bellard.org>
Mon, 25 Aug 2025 13:06:19 +0000 (15:06 +0200)
quickjs.c

index 29fd830e8d87ed67ed127d757e060d9df8494b22..994f032ab858693ce97f262b8eb4b870ed70a8fa 100644 (file)
--- a/quickjs.c
+++ b/quickjs.c
@@ -11997,11 +11997,10 @@ static JSValue js_bigint_to_string1(JSContext *ctx, JSValueConst val, int radix)
                 bit_pos = i * log2_radix;
                 pos = bit_pos / JS_LIMB_BITS;
                 shift = bit_pos % JS_LIMB_BITS;
-                if (likely((shift + log2_radix) <= JS_LIMB_BITS)) {
-                    c = r->tab[pos] >> shift;
-                } else {
-                    c = (r->tab[pos] >> shift) |
-                        (r->tab[pos + 1] << (JS_LIMB_BITS - shift));
+                c = r->tab[pos] >> shift;
+                if ((shift + log2_radix) > JS_LIMB_BITS &&
+                    (pos + 1) < r->len) {
+                    c |= r->tab[pos + 1] << (JS_LIMB_BITS - shift);
                 }
                 c &= (radix - 1);
                 *--q = digits[c];