jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-16 12:34:33 +00:00
Code Issues Actions 12 Packages Projects Releases Wiki Activity

src: guard against overflow in ParseArrayIndex()

Browse Source 
ParseArrayIndex() would wrap around large (>=2^32) index values on
platforms where sizeof(int64_t) > sizeof(size_t).  Ensure that the
return value fits in a size_t.

PR-URL: https://github.com/nodejs/node/pull/7497
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit is contained in:
Ben Noordhuis 2016-06-30 11:51:17 +02:00
parent 6ae20433c9
commit 630096bc80
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/node_buffer.cc
View File

@ -207,6 +207,11 @@ inline MUST_USE_RESULT bool ParseArrayIndex(Local<Value> arg,
if (tmp_i < 0) if (tmp_i < 0)
return false; return false;
// Check that the result fits in a size_t.
const uint64_t kSizeMax = static_cast<uint64_t>(static_cast<size_t>(-1));
if (static_cast<uint64_t>(tmp_i) > kSizeMax)
return false;
*ret = static_cast<size_t>(tmp_i); *ret = static_cast<size_t>(tmp_i);
return true; return true;
} }

7
test/parallel/test-buffer-alloc.js
View File

@ -1462,6 +1462,13 @@ assert.throws(function() {
Buffer.from(new ArrayBuffer(0), -1 >>> 0); Buffer.from(new ArrayBuffer(0), -1 >>> 0);
}, /RangeError: 'offset' is out of bounds/); }, /RangeError: 'offset' is out of bounds/);
// ParseArrayIndex() should reject values that don't fit in a 32 bits size_t.
assert.throws(() => {
const a = Buffer(1).fill(0);
const b = Buffer(1).fill(0);
a.copy(b, 0, 0x100000000, 0x100000001);
}), /out of range index/;
// Unpooled buffer (replaces SlowBuffer) // Unpooled buffer (replaces SlowBuffer)
const ubuf = Buffer.allocUnsafeSlow(10); const ubuf = Buffer.allocUnsafeSlow(10);
assert(ubuf); assert(ubuf);