Skip to content

Commit

Permalink
src: guard against overflow in ParseArrayIndex()
Browse files Browse the repository at this point in the history
ParseArrayIndex() would wrap around large (>=2^32) index values on
platforms where sizeof(int64_t) > sizeof(size_t).  Ensure that the
return value fits in a size_t.

PR-URL: #7497
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
bnoordhuis authored and cjihrig committed Aug 10, 2016
1 parent c730a5d commit f3e5b39
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/node_buffer.cc
Original file line number Diff line number Diff line change
Expand Up @@ -207,6 +207,11 @@ inline MUST_USE_RESULT bool ParseArrayIndex(Local<Value> arg,
if (tmp_i < 0)
return false;

// Check that the result fits in a size_t.
const uint64_t kSizeMax = static_cast<uint64_t>(static_cast<size_t>(-1));
if (static_cast<uint64_t>(tmp_i) > kSizeMax)
return false;

*ret = static_cast<size_t>(tmp_i);
return true;
}
Expand Down
7 changes: 7 additions & 0 deletions test/parallel/test-buffer-alloc.js
Original file line number Diff line number Diff line change
Expand Up @@ -1454,6 +1454,13 @@ assert.throws(function() {
Buffer.from(new ArrayBuffer(0), -1 >>> 0);
}, /RangeError: 'offset' is out of bounds/);

// ParseArrayIndex() should reject values that don't fit in a 32 bits size_t.
assert.throws(() => {
const a = Buffer(1).fill(0);
const b = Buffer(1).fill(0);
a.copy(b, 0, 0x100000000, 0x100000001);
}), /out of range index/;

// Unpooled buffer (replaces SlowBuffer)
const ubuf = Buffer.allocUnsafeSlow(10);
assert(ubuf);
Expand Down

0 comments on commit f3e5b39

Please sign in to comment.