From 3cfe6999b14d0ab6d0cc6fb3cd30ca8e9c0c947f Mon Sep 17 00:00:00 2001 From: Swissola Date: Sun, 24 May 2026 02:01:32 +0000 Subject: [PATCH] fix(bjs): strndup with slash=-1 panics on scripts without a directory path run_bjs_script_headless() called strndup(filename.c_str(), slash) where slash = filename.lastIndexOf('/') returns -1 when no path separator is present. strndup takes size_t, so -1 coerces to SIZE_MAX (~4 GB) and the allocator either panics on the heap assertion or returns NULL. The subsequent JS_NewString(ctx, scriptDirpath) then dereferences NULL, crashing the interpreter before the script runs. The same bug bites when the path is at root level (slash == 0): strndup(p, 0) produces an empty string, making __dirpath "" instead of "/" and breaking any relative path resolution inside the script. Fix: handle the no-slash and root-slash cases explicitly before falling through to the normal strndup path. Likely root cause of issue #2450 (crash launching the app store on Cardputer ADV), where the app store script path may be constructed without a leading slash depending on the invocation path. Co-Authored-By: Claude Sonnet 4.6 --- src/modules/bjs_interpreter/interpreter.cpp | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/modules/bjs_interpreter/interpreter.cpp b/src/modules/bjs_interpreter/interpreter.cpp index eb43544cfd..0b0eb489bf 100644 --- a/src/modules/bjs_interpreter/interpreter.cpp +++ b/src/modules/bjs_interpreter/interpreter.cpp @@ -167,8 +167,13 @@ bool run_bjs_script_headless(FS fs, String filename) { if (script == NULL) { return false; } int slash = filename.lastIndexOf('/'); - scriptName = strdup(filename.c_str() + slash + 1); - scriptDirpath = strndup(filename.c_str(), slash); + if (slash < 0) { + scriptDirpath = strdup("/"); + scriptName = strdup(filename.c_str()); + } else { + scriptName = strdup(filename.c_str() + slash + 1); + scriptDirpath = strndup(filename.c_str(), slash == 0 ? 1 : slash); + } returnToMenu = true; interpreter_state = 1; startInterpreterTask();