From 54c7063708bf38f9bb7b4f311fb17229e5964d6e Mon Sep 17 00:00:00 2001
From: Yi LIU <yi@quantstamp.com>
Date: Mon, 16 Feb 2026 23:51:23 +0800
Subject: [PATCH] Add bounds check to source map VLQ decoder shift

readBase64VLQ() increments the shift value by 5 for each continuation
digit with no upper bound. After 7 continuation digits, shift reaches 35
and 'digit << shift' on a uint32_t is undefined behavior (shifting by
an amount >= the type width). Add a bounds check after incrementing
shift, throwing a MapParseException for malformed VLQ values.
---
 src/wasm/source-map.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/wasm/source-map.cpp b/src/wasm/source-map.cpp
index ecb7e96512c..46341137435 100644
--- a/src/wasm/source-map.cpp
+++ b/src/wasm/source-map.cpp
@@ -196,6 +196,9 @@ int32_t SourceMapReader::readBase64VLQ() {
       ch > '9' ? ch - 'g' : (ch >= '0' ? ch - '0' + 20 : (ch == '+' ? 30 : 31));
     value |= digit << shift;
     shift += 5;
+    if (shift >= 32) {
+      throw MapParseException("VLQ value too large");
+    }
   }
   return value & 1 ? -int32_t(value >> 1) : int32_t(value >> 1);
 }