From 0121293f8de339d2c6d26da63a92f79cfff1b871 Mon Sep 17 00:00:00 2001
From: Valentina Demiciseaux <vallyyyyy@proton.me>
Date: Sat, 14 Feb 2026 23:46:26 +0000
Subject: fix out of bounds read in zlsb()

prev scales i from num chars -> num bits, then indexes with it, causing
a page fault or reading garbage.  scale i after the read instead.

here is a reproducer

    #include <stdio.h>
    #include "libzahl/zahl.h"

    int
    main(void)
    {
        z_t x;
        zinit(x);
        zsetu(x, 1);

        zlsh(x, x, 2097153);

        printf("used chars:  expect 32769, have %lu\n", x->used);

        size_t tz = zlsb(x);

        printf("tz:          expect 2097153, have %lu\n", tz);
    }
---
 zahl/inlines.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'zahl')

diff --git a/zahl/inlines.h b/zahl/inlines.h
index 8cb9af2..43faacf 100644
--- a/zahl/inlines.h
+++ b/zahl/inlines.h
@@ -88,13 +88,13 @@ zsetu(z_t a, uint64_t b)
 ZAHL_INLINE size_t
 zlsb(z_t a)
 {
-	size_t i = 0;
+	size_t i = 0, j = 0;
 	if (ZAHL_UNLIKELY(zzero(a)))
 		return SIZE_MAX;
 	for (; !a->chars[i]; i++);
-	i *= 8 * sizeof(zahl_char_t);
-	ZAHL_ADD_CTZ(i, a->chars[i]);
-	return i;
+	ZAHL_ADD_CTZ(j, a->chars[i]);
+	j += i * 8 * sizeof(zahl_char_t);
+	return j;
 }
 
 
-- 
cgit v1.2.3-70-g09d2