Nodejs/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 10:59:27 +00:00
Code Issues Actions 25 Packages Projects Releases Wiki Activity

v8: out of bounds copy

Browse Source 
Fixes: https://github.com/nodejs/node/issues/54573

Co-authored-by: ronag <ronagy@icloud.com>
Co-authored-by: ramidzkh <ramidzkh@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/55261
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
This commit is contained in:
Robert Nagy 2024-10-07 13:11:29 +02:00 committed by GitHub
parent d5eb9a378e
commit deb5effe01
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/v8.js
View File

@ -49,7 +49,6 @@ if (internalBinding('config').hasInspector) {
} }
const assert = require('internal/assert'); const assert = require('internal/assert');
const { copy } = internalBinding('buffer');
const { inspect } = require('internal/util/inspect'); const { inspect } = require('internal/util/inspect');
const { FastBuffer } = require('internal/buffer'); const { FastBuffer } = require('internal/buffer');
const { getValidatedPath } = require('internal/fs/utils'); const { getValidatedPath } = require('internal/fs/utils');
@ -368,7 +367,7 @@ class DefaultDeserializer extends Deserializer {
} }
// Copy to an aligned buffer first. // Copy to an aligned buffer first.
const buffer_copy = Buffer.allocUnsafe(byteLength); const buffer_copy = Buffer.allocUnsafe(byteLength);
copy(this.buffer, buffer_copy, 0, byteOffset, byteOffset + byteLength); buffer_copy.set(new Uint8Array(this.buffer.buffer, this.buffer.byteOffset + byteOffset, byteLength));
return new ctor(buffer_copy.buffer, return new ctor(buffer_copy.buffer,
buffer_copy.byteOffset, buffer_copy.byteOffset,
byteLength / BYTES_PER_ELEMENT); byteLength / BYTES_PER_ELEMENT);

4
test/parallel/test-v8-deserialize-buffer.js
View File

@ -5,3 +5,7 @@ const v8 = require('v8');
process.on('warning', common.mustNotCall()); process.on('warning', common.mustNotCall());
v8.deserialize(v8.serialize(Buffer.alloc(0))); v8.deserialize(v8.serialize(Buffer.alloc(0)));
v8.deserialize(v8.serialize({ a: new Int32Array(1024) }));
v8.deserialize(v8.serialize({ b: new Int16Array(8192) }));
v8.deserialize(v8.serialize({ c: new Uint32Array(1024) }));
v8.deserialize(v8.serialize({ d: new Uint16Array(8192) }));