diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2013-01-17 01:10:15 +0100 |
---|---|---|
committer | Ben Noordhuis <info@bnoordhuis.nl> | 2013-01-17 01:22:11 +0100 |
commit | 498200b87c186658c867772bd6cf0c8afcb2b56b (patch) | |
tree | aa5c9c7af6719e5ce1e27cae2ad36b7251af6b8a /src/node_buffer.cc | |
parent | 6b4a93577b5677f9738f6dd7d7acd71f86f46888 (diff) | |
download | android-node-v8-498200b87c186658c867772bd6cf0c8afcb2b56b.tar.gz android-node-v8-498200b87c186658c867772bd6cf0c8afcb2b56b.tar.bz2 android-node-v8-498200b87c186658c867772bd6cf0c8afcb2b56b.zip |
buffer: reject negative SlowBuffer offsets
Reject negative offsets in SlowBuffer::MakeFastBuffer(), it allows
the creation of buffers that point to arbitrary addresses.
Reported by Trevor Norris.
Diffstat (limited to 'src/node_buffer.cc')
-rw-r--r-- | src/node_buffer.cc | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/src/node_buffer.cc b/src/node_buffer.cc index 98dfa5e000..4a6e836653 100644 --- a/src/node_buffer.cc +++ b/src/node_buffer.cc @@ -708,6 +708,19 @@ Handle<Value> Buffer::MakeFastBuffer(const Arguments &args) { uint32_t offset = args[2]->Uint32Value(); uint32_t length = args[3]->Uint32Value(); + if (offset > buffer->length_) { + return ThrowRangeError("offset out of range"); + } + + if (offset + length > buffer->length_) { + return ThrowRangeError("length out of range"); + } + + // Check for wraparound. Safe because offset and length are unsigned. + if (offset + length < offset) { + return ThrowRangeError("offset or length out of range"); + } + fast_buffer->SetIndexedPropertiesToExternalArrayData(buffer->data_ + offset, kExternalUnsignedByteArray, length); |