QuickJS Integer Overflow Vulnerability in BigInt String Parsing Leading to Heap Out-of-Bounds Write

An integer overflow vulnerability has been identified in the QuickJS engine's BigInt string parsing function, js_bigint_from_string. This issue arises when creating a BigInt from a string containing an excessively large number of digits, specifically 79,536,432 digits or more in base 10. The overflow occurs because the function's calculation of the required number of bits exceeds the maximum value of a standard signed 32-bit integer. This miscalculation leads to an underestimation of the memory needed for the BigInt object, causing a heap out-of-bounds write when the actual BigInt data is written to the allocated object.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, where data is written beyond the allocated memory for a BigInt object. This type of memory corruption can potentially be exploited to execute arbitrary code or cause a crash.

Reproduction

The vulnerability can be reproduced using the AddressSanitizer (ASan) build of the QuickJS binary. After creating a string of 79,536,432 digits, the BigInt constructor is called with this string. The ASan log will show a heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

This vulnerability has been fixed in the QuickJS release version 2025-09-13.