diff options
| author | Anna Henningsen <anna@addaleax.net> | 2016-04-21 11:04:31 +0200 |
|---|---|---|
| committer | Anna Henningsen <anna@addaleax.net> | 2016-04-22 20:28:53 +0200 |
| commit | a3b5b9cbf2cb858bdb7c5e5b1e3c8b92c43a1c4a (patch) | |
| tree | 52cc5962a6720d0a230ca1e669678d6426f0f309 /src/util.cc | |
| parent | 0e7d57af3573b4dcba81217bba2f041dbdc173dc (diff) | |
| download | android-node-v8-a3b5b9cbf2cb858bdb7c5e5b1e3c8b92c43a1c4a.tar.gz android-node-v8-a3b5b9cbf2cb858bdb7c5e5b1e3c8b92c43a1c4a.tar.bz2 android-node-v8-a3b5b9cbf2cb858bdb7c5e5b1e3c8b92c43a1c4a.zip | |
src: fix out-of-bounds write in TwoByteValue
Plan 2 bytes instead of 1 byte for the final zero terminator
for UTF-16. This is unlikely to cause real-world problems,
but that ultimately depends on the `malloc` implementation.
The issue can be uncovered by running e.g.
`valgrind node -e "Buffer(65536).fill('a'.repeat(4096), 'utf16le')"`
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/6330
Diffstat (limited to 'src/util.cc')
| -rw-r--r-- | src/util.cc | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/util.cc b/src/util.cc index 3b0278ceda..20325d0bed 100644 --- a/src/util.cc +++ b/src/util.cc @@ -47,7 +47,9 @@ TwoByteValue::TwoByteValue(Isolate* isolate, Local<Value> value) return; // Allocate enough space to include the null terminator - size_t len = StringBytes::StorageSize(isolate, string, UCS2) + 1; + size_t len = + StringBytes::StorageSize(isolate, string, UCS2) + + sizeof(uint16_t); if (len > sizeof(str_st_)) { str_ = static_cast<uint16_t*>(malloc(len)); CHECK_NE(str_, nullptr); |