diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2016-06-30 11:51:17 +0200 |
---|---|---|
committer | Ben Noordhuis <info@bnoordhuis.nl> | 2016-07-06 16:30:39 +0200 |
commit | 630096bc80f16cfc9602f7cf8d091633928f72c7 (patch) | |
tree | 56a9281b923da828dc54b43f77a7eb804a5fad87 /test | |
parent | 6ae20433c9fec27e638751c321ac9a27690218c2 (diff) | |
download | android-node-v8-630096bc80f16cfc9602f7cf8d091633928f72c7.tar.gz android-node-v8-630096bc80f16cfc9602f7cf8d091633928f72c7.tar.bz2 android-node-v8-630096bc80f16cfc9602f7cf8d091633928f72c7.zip |
src: guard against overflow in ParseArrayIndex()
ParseArrayIndex() would wrap around large (>=2^32) index values on
platforms where sizeof(int64_t) > sizeof(size_t). Ensure that the
return value fits in a size_t.
PR-URL: https://github.com/nodejs/node/pull/7497
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Diffstat (limited to 'test')
-rw-r--r-- | test/parallel/test-buffer-alloc.js | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/test/parallel/test-buffer-alloc.js b/test/parallel/test-buffer-alloc.js index a1f7cae33f..42f8e27046 100644 --- a/test/parallel/test-buffer-alloc.js +++ b/test/parallel/test-buffer-alloc.js @@ -1462,6 +1462,13 @@ assert.throws(function() { Buffer.from(new ArrayBuffer(0), -1 >>> 0); }, /RangeError: 'offset' is out of bounds/); +// ParseArrayIndex() should reject values that don't fit in a 32 bits size_t. +assert.throws(() => { + const a = Buffer(1).fill(0); + const b = Buffer(1).fill(0); + a.copy(b, 0, 0x100000000, 0x100000001); +}), /out of range index/; + // Unpooled buffer (replaces SlowBuffer) const ubuf = Buffer.allocUnsafeSlow(10); assert(ubuf); |