From 1db8d6cc19a691f5a22d446998aeacdfbf46a4c3 Mon Sep 17 00:00:00 2001
From: satk0 <satko_a@op.pl>
Date: Mon, 7 Oct 2024 22:09:06 +0200
Subject: [PATCH] Fix out-of-bound write in libbf

---
 libbf.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/libbf.c b/libbf.c
index 5d48db6..6293f4e 100644
--- a/libbf.c
+++ b/libbf.c
@@ -1710,6 +1710,13 @@ static int __bf_div(bf_t *r, const bf_t *a, const bf_t *b, limb_t prec,
         slimb_t d;
 
         na = n + nb;
+
+#if LIMB_LOG2_BITS == 6
+        if (na >= (SIZE_MAX / sizeof(limb_t)) - 1) {
+            return BF_ST_MEM_ERROR;  /* Return memory error status */
+        }
+#endif
+
         taba = bf_malloc(s, (na + 1) * sizeof(limb_t));
         if (!taba)
             goto fail;