This is an automated email from the ASF dual-hosted git repository.
vatamane pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/couchdb.git
The following commit(s) were added to refs/heads/main by this push:
new f65e93667 Fix QuickJS bigint heap overflow
f65e93667 is described below
commit f65e93667ae4f23079cd59326308c898968b6003
Author: Nick Vatamaniuc <[email protected]>
AuthorDate: Fri May 30 11:02:28 2025 -0400
Fix QuickJS bigint heap overflow
From upstream:
https://github.com/bellard/quickjs/commit/638ec8ca5e1d4aed002a9fb3ef3358e2a6bc42ab
Upstream issue: https://github.com/bellard/quickjs/issues/412
---
src/couch_quickjs/quickjs/quickjs.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/src/couch_quickjs/quickjs/quickjs.c
b/src/couch_quickjs/quickjs/quickjs.c
index 60f720b10..1cebe331f 100644
--- a/src/couch_quickjs/quickjs/quickjs.c
+++ b/src/couch_quickjs/quickjs/quickjs.c
@@ -10563,6 +10563,15 @@ static inline js_limb_t js_limb_clz(js_limb_t a)
}
#endif
+/* handle a = 0 too */
+static inline js_limb_t js_limb_safe_clz(js_limb_t a)
+{
+ if (a == 0)
+ return JS_LIMB_BITS;
+ else
+ return js_limb_clz(a);
+}
+
static js_limb_t mp_add(js_limb_t *res, const js_limb_t *op1, const js_limb_t
*op2,
js_limb_t n, js_limb_t carry)
{
@@ -11911,7 +11920,7 @@ static JSValue js_bigint_to_string1(JSContext *ctx,
JSValueConst val, int radix)
r = tmp;
}
log2_radix = 31 - clz32(radix); /* floor(log2(radix)) */
- n_bits = r->len * JS_LIMB_BITS - js_limb_clz(r->tab[r->len - 1]);
+ n_bits = r->len * JS_LIMB_BITS - js_limb_safe_clz(r->tab[r->len - 1]);
/* n_digits is exact only if radix is a power of
two. Otherwise it is >= the exact number of digits */
n_digits = (n_bits + log2_radix - 1) / log2_radix;
