Описание
A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. * The function determines the number of characters (n_digits) needed for the string representation by calculating: $$ \ \text{n_digits} = (\text{n_bits} + \text{log2_radix} - 1) / \text{log2_radix}$$ $$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2_radix}=5$) is calculated to need $\text{n_digits}=26$. * The maximum number of bits actually stored is $\text{n_bits}=127$, which requires only two 64-bit limbs ($\text{JS_LIMB_BITS}=64$). * The conversion loop iterates $\text{n_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits. * In the final iterations of the loop, the code a...
| Релиз | Статус | Примечание |
|---|---|---|
| devel | needs-triage | |
| esm-apps/noble | needs-triage | |
| jammy | DNE | |
| noble | needs-triage | |
| plucky | ignored | end of life, was needs-triage |
| questing | needs-triage | |
| upstream | needs-triage |
Показывать по
6.5 Medium
CVSS3
Связанные уязвимости
A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. * The function determines the number of characters (n_digits) needed for the string representation by calculating: $$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$ $$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$. * The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$). * The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits. * In the final iterations of the lo
A vulnerability exists in the QuickJS engine's BigInt string conversio ...
A vulnerability exists in the QuickJS engine's BigInt string conversion logic (js_bigint_to_string1) due to an incorrect calculation of the required number of digits, which in turn leads to reading memory past the allocated BigInt structure. * The function determines the number of characters (n_digits) needed for the string representation by calculating: $$ \\ \text{n\_digits} = (\text{n\_bits} + \text{log2\_radix} - 1) / \text{log2\_radix}$$ $$$$This formula is off-by-one in certain edge cases when calculating the necessary memory limbs. For instance, a 127-bit BigInt using radix 32 (where $\text{log2\_radix}=5$) is calculated to need $\text{n\_digits}=26$. * The maximum number of bits actually stored is $\text{n\_bits}=127$, which requires only two 64-bit limbs ($\text{JS\_LIMB\_BITS}=64$). * The conversion loop iterates $\text{n\_digits}=26$ times, attempting to read 5 bits in each iteration, totaling $26 \times 5 = 130$ bits. * In the final iterations of the...
6.5 Medium
CVSS3