Sunlili

**Name of the Vulnerable Software and Affected Versions** Moddable SDK OS180329 version 9.0.0 **Description** The issue is a heap-based buffer overflow in the `fxBeginHost` function in `xsAPI.c` when called from `fxRunDefine` in `xsRun.c`. This can be triggered by crafted JavaScript code sent to `xst`. **Recommendations** For Moddable SDK OS180329 version 9.0.0, consider restricting access to the `fxBeginHost` function in `xsAPI.c` until a patch is available. As a temporary workaround, avoid using the `fxRunDefine` function in `xsRun.c` that calls `fxBeginHost` to minimize the risk of exploitation.