We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Description In the following file:
https://github.com/bellard/quickjs/blob/master/libbf.c#L1718
At line 1718 inside function __bf_div there exists a security vulnerability due to the lack of a check for correctness of allocation in
__bf_div
taba = bf_malloc(s, (na + 1) * sizeof(limb_t));
The second argument could result in an unsigned integer overflow if (na + 1) * sizeof(limb_t) exceeds SIZE_T_MAX. Since na is assigned as:
(na + 1) * sizeof(limb_t)
na = n + nb;
and nb assigned as:
nb = b->len;
where b is a parameter of the function:
static int __bf_div(bf_t *r, const bf_t *a, const bf_t *b, limb_t prec, bf_flags_t flags);
This makes it possible to manually trigger the overflow.
Impact memset is performed subsequently, after the allocation:
d = na - a->len; memset(taba, 0, d * sizeof(limb_t));
d = na - a->len;
memset(taba, 0, d * sizeof(limb_t));
This would potentially lead to a out-of-bound write on taba, hence typically resulting in a crash.
Suggested Fix #348
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Description
In the following file:
https://github.com/bellard/quickjs/blob/master/libbf.c#L1718
At line 1718 inside function
__bf_divthere exists a security vulnerability due to the lack of a check for correctness of allocation intaba = bf_malloc(s, (na + 1) * sizeof(limb_t));The second argument could result in an unsigned integer overflow if
(na + 1) * sizeof(limb_t)exceeds SIZE_T_MAX.Since na is assigned as:
na = n + nb;and nb assigned as:
nb = b->len;where b is a parameter of the function:
static int __bf_div(bf_t *r, const bf_t *a, const bf_t *b, limb_t prec, bf_flags_t flags);This makes it possible to manually trigger the overflow.
Impact
memset is performed subsequently, after the allocation:
d = na - a->len;memset(taba, 0, d * sizeof(limb_t));This would potentially lead to a out-of-bound write on taba, hence typically resulting in a crash.
Suggested Fix
#348
The text was updated successfully, but these errors were encountered: