commit 0121293f8de339d2c6d26da63a92f79cfff1b871
parent 8aa2a900974b100672d1af89a97c1043372a446d
Author: Valentina Demiciseaux <vallyyyyy@proton.me>
Date: Sat, 14 Feb 2026 23:46:26 +0000
fix out of bounds read in zlsb()
prev scales i from num chars -> num bits, then indexes with it, causing
a page fault or reading garbage. scale i after the read instead.
here is a reproducer
#include <stdio.h>
#include "libzahl/zahl.h"
int
main(void)
{
z_t x;
zinit(x);
zsetu(x, 1);
zlsh(x, x, 2097153);
printf("used chars: expect 32769, have %lu\n", x->used);
size_t tz = zlsb(x);
printf("tz: expect 2097153, have %lu\n", tz);
}
Diffstat:
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/zahl/inlines.h b/zahl/inlines.h
@@ -88,13 +88,13 @@ zsetu(z_t a, uint64_t b)
ZAHL_INLINE size_t
zlsb(z_t a)
{
- size_t i = 0;
+ size_t i = 0, j = 0;
if (ZAHL_UNLIKELY(zzero(a)))
return SIZE_MAX;
for (; !a->chars[i]; i++);
- i *= 8 * sizeof(zahl_char_t);
- ZAHL_ADD_CTZ(i, a->chars[i]);
- return i;
+ ZAHL_ADD_CTZ(j, a->chars[i]);
+ j += i * 8 * sizeof(zahl_char_t);
+ return j;
}
