Fixed out-of-bound write in libbf.c

3393304070 · trufae · commit b2a467cd13c5 · 2024-09-15T11:55:26.000+02:00
diff --git a/shlr/qjs/src/libbf.c b/shlr/qjs/src/libbf.c
@@ -1694,6 +1694,11 @@ static int __bf_div(bf_t *r, const bf_t *a, const bf_t *b, limb_t prec,
         slimb_t d;
         
         na = n + nb;
+      
+        if (na >= (SIZE_MAX / sizeof(limb_t)) - 1) {
+            return BF_ST_MEM_ERROR;  /* Return memory error status */
+        }
+      
         taba = bf_malloc(s, (na + 1) * sizeof(limb_t));
         if (!taba)
             goto fail;
