| Title | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow |
|---|
| Description | A heap out-of-bounds access (buffer overflow) or Use-After-Free (UAF) can be triggered in QuickJS-NG in js_typed_array_constructor when constructing a typed array from another typed array using Reflect.construct with a malicious new_target whose prototype lookup executes arbitrary JS that resizes the underlying Resizable ArrayBuffer, invalidating a stale length used later during the element copy.
Root cause: When the constructor argument p is a typed array, js_typed_array_constructor takes the path: return js_typed_array_constructor_ta(..., p->u.array.count);. The value p->u.array.count (used as the length) is captured and remains stale inside js_typed_array_constructor_ta. During js_typed_array_constructor_ta, js_create_from_ctor performs a prototype property lookup on new_target, which can trigger arbitrary JS. If that JS resizes the backing ArrayBuffer, the previously captured len becomes invalid. The function then proceeds to copy using stale assumptions, leading to an overflow/UAF at: memcpy(abuf->data, src_abuf->data + ta->offset, abuf->byte_length);.
Affected version: quickjs-ng/quickjs commit 537d004cd22b86373c262528c7e8076eaf76996d (tested on 2026-01-05).
Reproduction and ASAN crash details are publicly documented in: https://github.com/quickjs-ng/quickjs/issues/1305
Reporter credit: mcsky23 (Vlad Ionut Seba) |
|---|
| Source | ⚠️ https://github.com/quickjs-ng/quickjs/issues/1305 |
|---|
| User | mcsky23 (UID 94179) |
|---|
| Submission | 01/09/2026 08:04 PM (1 month ago) |
|---|
| Moderation | 01/18/2026 02:43 PM (9 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 341738 [quickjs-ng quickjs up to 0.11.0 quickjs.c js_typed_array_constructor_ta heap-based overflow] |
|---|
| Points | 20 |
|---|