bellard
Out-of-bound write in __bf_div, libbf.c
Description In the following file:
https://github.com/bellard/quickjs/blob/master/libbf.c#L1718
At line 1718 inside function __bf_div there exists a security vulnerability due to the lack of a check for correctness of allocation in
taba = bf_malloc(s, (na + 1) * sizeof(limb_t));
The second argument could result in an unsigned integer overflow if (na + 1) * sizeof(limb_t) exceeds SIZE_T_MAX.
Since na is assigned as:
na = n + nb;
and nb assigned as:
nb = b->len;
where b is a parameter of the function:
static int __bf_div(bf_t *r, const bf_t *a, const bf_t *b, limb_t prec, bf_flags_t flags);
This makes it possible to manually trigger the overflow.
Impact memset is performed subsequently, after the allocation:
d = na - a->len;
memset(taba, 0, d * sizeof(limb_t));
This would potentially lead to a out-of-bound write on taba, hence typically resulting in a crash.
Suggested Fix https://github.com/bellard/quickjs/pull/348
