src: guard against overflow in ParseArrayIndex()

bnoordhuis · cjihrig · commit f3e5b396967f · 2016-08-10T11:00:20.000-04:00
ParseArrayIndex() would wrap around large (>=2^32) index values on platforms where sizeof(int64_t) > sizeof(size_t). Ensure that the return value fits in a size_t. PR-URL: #7497 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/src/node_buffer.cc b/src/node_buffer.cc
@@ -207,6 +207,11 @@ inline MUST_USE_RESULT bool ParseArrayIndex(Local<Value> arg,
   if (tmp_i < 0)
     return false;
 
+  // Check that the result fits in a size_t.
+  const uint64_t kSizeMax = static_cast<uint64_t>(static_cast<size_t>(-1));
+  if (static_cast<uint64_t>(tmp_i) > kSizeMax)
+    return false;
+
   *ret = static_cast<size_t>(tmp_i);
   return true;
 }
diff --git a/test/parallel/test-buffer-alloc.js b/test/parallel/test-buffer-alloc.js
@@ -1454,6 +1454,13 @@ assert.throws(function() {
   Buffer.from(new ArrayBuffer(0), -1 >>> 0);
 }, /RangeError: 'offset' is out of bounds/);
 
+// ParseArrayIndex() should reject values that don't fit in a 32 bits size_t.
+assert.throws(() => {
+  const a = Buffer(1).fill(0);
+  const b = Buffer(1).fill(0);
+  a.copy(b, 0, 0x100000000, 0x100000001);
+}), /out of range index/;
+
 // Unpooled buffer (replaces SlowBuffer)
 const ubuf = Buffer.allocUnsafeSlow(10);
 assert(ubuf);
