diff options
author | Rod Vagg <rod@vagg.org> | 2018-08-14 20:18:06 +1000 |
---|---|---|
committer | Rod Vagg <rod@vagg.org> | 2018-08-16 19:14:15 +1000 |
commit | 88105c998ef9d3f54aa8f22b82ec8cc31cbfac95 (patch) | |
tree | 694072201ff12bef4d2673596577fab0dcc926c3 /test/parallel/test-buffer-write.js | |
parent | 40a7beeddac9b9ec9ef5b49157daaf8470648b08 (diff) | |
download | android-node-v8-88105c998ef9d3f54aa8f22b82ec8cc31cbfac95.tar.gz android-node-v8-88105c998ef9d3f54aa8f22b82ec8cc31cbfac95.tar.bz2 android-node-v8-88105c998ef9d3f54aa8f22b82ec8cc31cbfac95.zip |
buffer: avoid overrun on UCS-2 string write
CVE-2018-12115
Discovered by ChALkeR - Сковорода Никита Андреевич
Fix by Anna Henningsen
Writing to the second-to-last byte with UCS-2 encoding will cause a -1
length to be send to String::Write(), writing all of the provided Buffer
from that point and beyond.
Fixes: https://github.com/nodejs-private/security/issues/203
PR-URL: https://github.com/nodejs-private/node-private/pull/138
Diffstat (limited to 'test/parallel/test-buffer-write.js')
-rw-r--r-- | test/parallel/test-buffer-write.js | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/test/parallel/test-buffer-write.js b/test/parallel/test-buffer-write.js index 06117f614e..c0c5e9c88f 100644 --- a/test/parallel/test-buffer-write.js +++ b/test/parallel/test-buffer-write.js @@ -70,3 +70,24 @@ for (let i = 1; i < 10; i++) { assert.ok(!Buffer.isEncoding(encoding)); assert.throws(() => Buffer.alloc(9).write('foo', encoding), error); } + +// UCS-2 overflow CVE-2018-12115 +for (let i = 1; i < 4; i++) { + // Allocate two Buffers sequentially off the pool. Run more than once in case + // we hit the end of the pool and don't get sequential allocations + const x = Buffer.allocUnsafe(4).fill(0); + const y = Buffer.allocUnsafe(4).fill(1); + // Should not write anything, pos 3 doesn't have enough room for a 16-bit char + assert.strictEqual(x.write('ыыыыыы', 3, 'ucs2'), 0); + // CVE-2018-12115 experienced via buffer overrun to next block in the pool + assert.strictEqual(Buffer.compare(y, Buffer.alloc(4, 1)), 0); +} + +// Should not write any data when there is no space for 16-bit chars +const z = Buffer.alloc(4, 0); +assert.strictEqual(z.write('\u0001', 3, 'ucs2'), 0); +assert.strictEqual(Buffer.compare(z, Buffer.alloc(4, 0)), 0); + +// Large overrun could corrupt the process +assert.strictEqual(Buffer.alloc(4) + .write('ыыыыыы'.repeat(100), 3, 'utf16le'), 0); |