This is an automated email from the ASF dual-hosted git repository. vatamane pushed a commit to branch quickjs-bigint-fix in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit 6bc62d90e801bd26f358fddafd7e60d84b0dd737 Author: Nick Vatamaniuc <[email protected]> AuthorDate: Fri May 30 11:02:28 2025 -0400 Fix QuickJS bigint heap overflow From upstream: https://github.com/bellard/quickjs/commit/638ec8ca5e1d4aed002a9fb3ef3358e2a6bc42ab Upstream issue: https://github.com/bellard/quickjs/issues/412 --- src/couch_quickjs/quickjs/quickjs.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/couch_quickjs/quickjs/quickjs.c b/src/couch_quickjs/quickjs/quickjs.c index 60f720b10..1cebe331f 100644 --- a/src/couch_quickjs/quickjs/quickjs.c +++ b/src/couch_quickjs/quickjs/quickjs.c @@ -10563,6 +10563,15 @@ static inline js_limb_t js_limb_clz(js_limb_t a) } #endif +/* handle a = 0 too */ +static inline js_limb_t js_limb_safe_clz(js_limb_t a) +{ + if (a == 0) + return JS_LIMB_BITS; + else + return js_limb_clz(a); +} + static js_limb_t mp_add(js_limb_t *res, const js_limb_t *op1, const js_limb_t *op2, js_limb_t n, js_limb_t carry) { @@ -11911,7 +11920,7 @@ static JSValue js_bigint_to_string1(JSContext *ctx, JSValueConst val, int radix) r = tmp; } log2_radix = 31 - clz32(radix); /* floor(log2(radix)) */ - n_bits = r->len * JS_LIMB_BITS - js_limb_clz(r->tab[r->len - 1]); + n_bits = r->len * JS_LIMB_BITS - js_limb_safe_clz(r->tab[r->len - 1]); /* n_digits is exact only if radix is a power of two. Otherwise it is >= the exact number of digits */ n_digits = (n_bits + log2_radix - 1) / log2_radix;
