fixed buffer overflow in js_bigint_from_string()

2025-09-27 05:38:45 +03:00 · 2025-08-25 14:24:06 +02:00 · 2025-08-25 14:24:06 +02:00 · e1c18befb8
commit e1c18befb8
parent c942978927
1 changed files with 13 additions and 4 deletions
--- a/quickjs.c
+++ b/quickjs.c
@ -11745,6 +11745,7 @@ static JSBigInt *js_bigint_from_string(JSContext *ctx,
                                       const char *str, int radix)
 {
    const char *p = str;
+    size_t n_digits1;
    int is_neg, n_digits, n_limbs, len, log2_radix, n_bits, i;
    JSBigInt *r;
    js_limb_t v, c, h;
@ -11756,10 +11757,16 @@ static JSBigInt *js_bigint_from_string(JSContext *ctx,
    }
    while (*p == '0')
        p++;
-    n_digits = strlen(p);
+    n_digits1 = strlen(p);
+    /* the real check for overflox is done js_bigint_new(). Here
+       we just avoid integer overflow */
+    if (n_digits1 > JS_BIGINT_MAX_SIZE * JS_LIMB_BITS) {
+        JS_ThrowRangeError(ctx, "BigInt is too large to allocate");
+        return NULL;
+    }
+    n_digits = n_digits1;
    log2_radix = 32 - clz32(radix - 1); /* ceil(log2(radix)) */
    /* compute the maximum number of limbs */
-    /* XXX: overflow */
    if (radix == 10) {
        n_bits = (n_digits * 27 + 7) / 8; /* >= ceil(n_digits * log2(10)) */
    } else {
@ -12207,8 +12214,10 @@ static JSValue js_atof(JSContext *ctx, const char *str, const char **pp,
            if (has_legacy_octal || is_float)
                goto fail;
            r = js_bigint_from_string(ctx, buf, radix);
-            if (!r)
-                goto mem_error;
+            if (!r) {
+                val = JS_EXCEPTION;
+                goto done;
+            }
            val = JS_CompactBigInt(ctx, r);
        }
        break;