[hackers] [libzahl][PATCH] fix out of bounds read in zlsb()

From: Valentina Demiciseaux <vallyyyyy_AT_proton.me>
Date: Sat, 14 Feb 2026 23:46:26 +0000

prev scales i from num chars -> num bits, then indexes with it, causing
a page fault or reading garbage. scale i after the read instead.

here is a reproducer

    #include <stdio.h>
    #include "libzahl/zahl.h"

    int
    main(void)
    {
        z_t x;
        zinit(x);
        zsetu(x, 1);

        zlsh(x, x, 2097153);

        printf("used chars: expect 32769, have %lu\n", x->used);

        size_t tz = zlsb(x);

        printf("tz: expect 2097153, have %lu\n", tz);
    }

---
 zahl/inlines.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/zahl/inlines.h b/zahl/inlines.h
index 8cb9af2..43faacf 100644
--- a/zahl/inlines.h
+++ b/zahl/inlines.h
_AT_@ -88,13 +88,13 @@ zsetu(z_t a, uint64_t b)
 ZAHL_INLINE size_t
 zlsb(z_t a)
 {
-	size_t i = 0;
+	size_t i = 0, j = 0;
 	if (ZAHL_UNLIKELY(zzero(a)))
 		return SIZE_MAX;
 	for (; !a->chars[i]; i++);
-	i *= 8 * sizeof(zahl_char_t);
-	ZAHL_ADD_CTZ(i, a->chars[i]);
-	return i;
+	ZAHL_ADD_CTZ(j, a->chars[i]);
+	j += i * 8 * sizeof(zahl_char_t);
+	return j;
 }
 
 
-- 
2.53.0

Received on Sun Feb 15 2026 - 00:46:26 CET