crypto.randomFill : error with TypedArray

[arkerone]

• Version: v15.14.0
• Platform: Linux dev-laptop 5.8.10-050810-generic #202009171232 SMP Thu Sep 17 12:34:50 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
• Subsystem: crypto.randomFill

I've opened a PR about a typo bug : #38131
But I think that I found a bug.

What steps will reproduce the bug?

Run this code :

const crypto = require('crypto')

const buf = new Uint16Array(10)

crypto.randomFill(buf, 0, (err, res) => {
if (err) throw err;
   console.log(buf.toString('hex'));
});

How often does it reproduce? Is there a required condition?

Always with the code above or TypedArray with size element > 1 Byte

What is the expected behavior?

a buffer fill with random bytes

What do you see instead?

I got this error :
RangeError [ERR_OUT_OF_RANGE]: The value of "size + offset" is out of range. It must be <= 20. Received 40

Additional information

I think there a problem with the assertSize function because the first param is the number of element but we pass the number of bytes (ie: buf.byteLength). The assertSize function must be called only when the size parameter is passed to the randomFill function.

I can open a PR if the issue is confirmed : arkerone@77bbef8

[jasnell]

Yep, you're right. I've got a fix just about ready.

[arkerone]

Yep, you're right. I've got a fix just about ready.

I've a solution that seems work : arkerone@77bbef8

[Ayase-252]

@arkerone Thank you for bug report.

Your PR #38131 may reveal an intricate bug that in calling crypo.randomFill(buf, callback). The size of buffer is not checked properly.

node/lib/internal/crypto/random.js

Line 168 in 038608d

if (size === undefined) {

Since bytesLength does not exist in any supported buffer type <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>, it prevents assertSize from happening.

Your solution arkerone@77bbef8 seems making assertSize is also skipped in crypo.randomFill(buf, offset, callback) situation. I'm afraid that it may not be a valid fix.

[arkerone]

@arkerone Thank you for bug report.

Your PR #38131 may reveal an intricate bug that in calling crypo.randomFill(buf, callback). The size of buffer is not checked properly.

node/lib/internal/crypto/random.js

Line 168 in 038608d

if (size === undefined) {

Since bytesLength does not exist in any supported buffer type <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>, it prevents assertSize from happening.

Your solution arkerone@77bbef8 seems making assertSize is also skipped in crypo.randomFill(buf, offset, callback) situation. I'm afraid that it may not be a valid fix.

I thought that assertSize should only be called when the size parameter was passed to the randomFill function. It's the case for the randomFillSync function.

[Ayase-252]

@arkerone Thank you for bug report.

Your PR #38131 may reveal an intricate bug that in calling crypo.randomFill(buf, callback). The size of buffer is not checked properly.

node/lib/internal/crypto/random.js

Line 168 in 038608d

if (size === undefined) {

Since bytesLength does not exist in any supported buffer type <ArrayBuffer> | <Buffer> | <TypedArray> | <DataView>, it prevents assertSize from happening.

Your solution arkerone@77bbef8 seems making assertSize is also skipped in crypo.randomFill(buf, offset, callback) situation. I'm afraid that it may not be a valid fix.

I thought that assertSize should only be called when the size parameter was passed to the randomFill function. It's the case for the randomFillSync function.

Yes, it seems so. Thank you for kind correction.

[jasnell]

PR Here: #38138