From deb5effe017aa10e4fd1e0ce798236e38a432c77 Mon Sep 17 00:00:00 2001 From: Robert Nagy Date: Mon, 7 Oct 2024 13:11:29 +0200 Subject: [PATCH] v8: out of bounds copy Fixes: https://github.com/nodejs/node/issues/54573 Co-authored-by: ronag Co-authored-by: ramidzkh PR-URL: https://github.com/nodejs/node/pull/55261 Reviewed-By: Yagiz Nizipli Reviewed-By: Joyee Cheung --- lib/v8.js | 3 +-- test/parallel/test-v8-deserialize-buffer.js | 4 ++++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/v8.js b/lib/v8.js index b687d8709c9..7a8979887ba 100644 --- a/lib/v8.js +++ b/lib/v8.js @@ -49,7 +49,6 @@ if (internalBinding('config').hasInspector) { } const assert = require('internal/assert'); -const { copy } = internalBinding('buffer'); const { inspect } = require('internal/util/inspect'); const { FastBuffer } = require('internal/buffer'); const { getValidatedPath } = require('internal/fs/utils'); @@ -368,7 +367,7 @@ class DefaultDeserializer extends Deserializer { } // Copy to an aligned buffer first. const buffer_copy = Buffer.allocUnsafe(byteLength); - copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength); + buffer_copy.set(new Uint8Array(this.buffer.buffer, this.buffer.byteOffset + byteOffset, byteLength)); return new ctor(buffer_copy.buffer, buffer_copy.byteOffset, byteLength / BYTES_PER_ELEMENT); diff --git a/test/parallel/test-v8-deserialize-buffer.js b/test/parallel/test-v8-deserialize-buffer.js index f05631a72af..8626cf14a92 100644 --- a/test/parallel/test-v8-deserialize-buffer.js +++ b/test/parallel/test-v8-deserialize-buffer.js @@ -5,3 +5,7 @@ const v8 = require('v8'); process.on('warning', common.mustNotCall()); v8.deserialize(v8.serialize(Buffer.alloc(0))); +v8.deserialize(v8.serialize({ a: new Int32Array(1024) })); +v8.deserialize(v8.serialize({ b: new Int16Array(8192) })); +v8.deserialize(v8.serialize({ c: new Uint32Array(1024) })); +v8.deserialize(v8.serialize({ d: new Uint16Array(8192) }));