fixed buffer overflow in js_bigint_to_string1()

past-due · Fabrice Bellard · bnoordhuis · commit 1cd5e67f3e88 · 2025-09-29T23:04:07.000+02:00
Cherry-pick of bellard/quickjs@9ce5442 Co-authored-by: Fabrice Bellard <fabrice@bellard.org>
diff --git a/quickjs.c b/quickjs.c
@@ -11940,11 +11940,10 @@ static JSValue js_bigint_to_string1(JSContext *ctx, JSValueConst val, int radix)
                 bit_pos = i * log2_radix;
                 pos = bit_pos / JS_LIMB_BITS;
                 shift = bit_pos % JS_LIMB_BITS;
-                if (likely((shift + log2_radix) <= JS_LIMB_BITS)) {
-                    c = r->tab[pos] >> shift;
-                } else {
-                    c = (r->tab[pos] >> shift) |
-                        (r->tab[pos + 1] << (JS_LIMB_BITS - shift));
+                c = r->tab[pos] >> shift;
+                if ((shift + log2_radix) > JS_LIMB_BITS &&
+                    (pos + 1) < r->len) {
+                    c |= r->tab[pos + 1] << (JS_LIMB_BITS - shift);
                 }
                 c &= (radix - 1);
                 *--q = digits[c];
