QuickJS-ng Heap-Based Buffer Overflow Vulnerability in String and BigInt Deserialization

A heap-based buffer overflow vulnerability has been identified in QuickJS-ng versions through 0.9.0. The issue arises from a missing length check in the 'JS_ReadString' function, which is part of the 'BJSON' deserialization process. This oversight allows for an integer overflow during LEB128 parsing, leading to the allocation of insufficient buffer space. Consequently, the vulnerability can be exploited by crafting specific input that triggers the overflow, causing the application to write beyond the allocated memory and potentially leading to arbitrary code execution.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the QuickJS-ng JavaScript engine with a crafted input file that encodes a LEB128 value representing an excessively long string or BigInt. This can be achieved by base64-encoding the appropriate byte sequence and using it as input in a fuzzing context.

Remediation

Users can upgrade to QuickJS-ng version 0.10.1, which addresses this vulnerability by implementing the necessary length checks and correcting the size calculations in the affected deserialization functions.