buffer: avoid overrun on UCS-2 string write

CVE-2018-12115
Discovered by ChALkeR - Сковорода Никита Андреевич
Fix by Anna Henningsen

Writing to the second-to-last byte with UCS-2 encoding will cause a -1
length to be send to String::Write(), writing all of the provided Buffer
from that point and beyond.

Fixes: https://github.com/nodejs-private/security/issues/203
PR-URL: https://github.com/nodejs-private/node-private/pull/138

1 files changed, 21 insertions, 0 deletions

diff --git a/test/parallel/test-buffer-write.js b/test/parallel/test-buffer-write.js
index 06117f614e..c0c5e9c88f 100644
--- a/test/parallel/test-buffer-write.js
+++ b/test/parallel/test-buffer-write.js
@@ -70,3 +70,24 @@ for (let i = 1; i < 10; i++) {
   assert.ok(!Buffer.isEncoding(encoding));
   assert.throws(() => Buffer.alloc(9).write('foo', encoding), error);
 }
+
+// UCS-2 overflow CVE-2018-12115
+for (let i = 1; i < 4; i++) {
+  // Allocate two Buffers sequentially off the pool. Run more than once in case
+  // we hit the end of the pool and don't get sequential allocations
+  const x = Buffer.allocUnsafe(4).fill(0);
+  const y = Buffer.allocUnsafe(4).fill(1);
+  // Should not write anything, pos 3 doesn't have enough room for a 16-bit char
+  assert.strictEqual(x.write('ыыыыыы', 3, 'ucs2'), 0);
+  // CVE-2018-12115 experienced via buffer overrun to next block in the pool
+  assert.strictEqual(Buffer.compare(y, Buffer.alloc(4, 1)), 0);
+}
+
+// Should not write any data when there is no space for 16-bit chars
+const z = Buffer.alloc(4, 0);
+assert.strictEqual(z.write('\u0001', 3, 'ucs2'), 0);
+assert.strictEqual(Buffer.compare(z, Buffer.alloc(4, 0)), 0);
+
+// Large overrun could corrupt the process
+assert.strictEqual(Buffer.alloc(4)
+  .write('ыыыыыы'.repeat(100), 3, 'utf16le'), 0);